![]() |
| / Lotte Card |
Lotte Card, which suffered a massive hacking incident last year, became the first in the industry to participate in voluntary information security disclosure. Despite not being subject to mandatory disclosure, the company revealed its information security investment amounts and dedicated personnel status, accelerating its efforts to strengthen security and restore trust following the data leak incident. Analysts suggest that the company is publicly demonstrating its commitment to improving information security ahead of the financial authorities' announcement of disciplinary measures next month.
According to the Information Security Disclosure Portal of the Korea Internet & Security Agency (KISA) on July 1, Lotte Card invested 12.57377 billion won in the information security sector last year. This accounts for 9.8% of its total information technology investment (128.36954 billion won), exceeding the 7% guideline under the Electronic Financial Transactions Act.
The number of dedicated information security personnel stood at 36.5 (28.1 internal, 8.4 outsourced), representing 9.5% of the total IT workforce of 383.4. This is nearly double the recommended criteria of 5% or more of the IT workforce stipulated by the Enforcement Decree of the Information Security Industry Promotion Act and financial authority guidelines.
Lotte Card previously suffered a data leak involving the information of 2.97 million customers due to a hacking incident in September last year. In response, Lotte Card announced a plan to invest approximately 120 billion won in the information security sector over the next five years and to increase the proportion of information security within its total IT budget from the current 10% level to 15%. This disclosure appears to prove that the company is faithfully executing its plan.
Beyond information security investments, the company is also pouring efforts into internal controls. This is being driven through employee information security training, regular meetings of the information security committee, the introduction of enhanced Fast IDentity Online (FIDO) authentication system solutions, and incident response drills. Notably, inspection systems such as IT disaster recovery mock drills have also been established.
Regular inspections to raise security awareness among executives and employees are also underway. The company designates a "Information Security Day" period every month to remind staff of the importance of information security. Furthermore, through the posting of the "LOCA SECU Letter," employees share monthly information security issues. Unannounced internal security checks are also being conducted consistently.
Lotte Card is facing sanctions from the Financial Services Commission due to the incident. Initially, a heavy disciplinary measure consisting of a 4.5-month business suspension and a 5 billion won fine was decided, but the final outcome is reportedly expected to be confirmed after mid-next month following re-deliberation. The final level of disciplinary action is drawing significant attention as it could heavily impact Lotte Card's business operations depending on how it is determined.
Meanwhile, other card companies, including Woori Card and Shinhan Card which also experienced data leak incidents, did not participate in the voluntary information security disclosure that closed the previous day.
An official from Lotte Card explained, "Although this disclosure is not mandatory, we voluntarily disclosed our information security status for the first time among card companies to transparently reveal the current situation and responsibly implement information security."
Jeong Chae-hyun
1
2
3
4
5
6
7