![Financial Services Commission Vice Chairman Kwon Dae-young during a joint press briefing with the Ministry of Science and ICT in Jongno District, central Seoul, on Sept. 19. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/09/19/3225f838-c43e-40ae-876e-36c14a57667f.jpg)
Financial Services Commission Vice Chairman Kwon Dae-young speaks during a joint press briefing with the Ministry of Science and ICT at the government complex in Jongno District, central Seoul, on Sept. 19. [YONHAP]
The Financial Services Commission (FSC) of South Korea has unveiled plans to implement punitive fines for security breaches within the financial sector, prompted by a significant data leak at Lotte Card. This follows a troubling trend of security vulnerabilities that have led to violations affecting millions of customers. In a pressing statement, FSC Vice Chairman Kwon Dae-young emphasized the commitment to a thorough overhaul of security protocols across financial institutions.
During a joint press briefing with the Ministry of Science and ICT, Kwon stated, “When security breaches occur, institutions will be held accountable with penalties commensurate to their social impact. We will act decisively to enforce punitive fines.” This response is backed by a revision of the Personal Information Protection Act, allowing for fines of up to 3 percent of a corporation’s total revenue, a sharp corrective measure that aligns with harsher standards seen in the EU and the US.
Public sentiment is especially heightened due to Lotte Card’s history; it was also involved in a notorious 2014 data breach affecting three major card issuers. The recent incident has reportedly compromised the information of 2.97 million customers, further aggravating consumer trust in financial services. Kwon remarked on the necessity for institutions to reassess their approach to security investment, suggesting that compliance with best practices should not be viewed merely as an operational cost.
The new framework will mandate that chief executive officers take direct accountability for the assessment of IT and information security systems. Oversight will be strengthened through the Financial Supervisory Service (FSS) and the Financial Security Institute (FSI), with results from inspections closely monitored.
Additionally, the FSC plans to empower chief information security officers (CISOs) with the authority to allocate budgetary resources effectively. Enhanced disclosure requirements for consumers will also be introduced, focusing on expediting recovery processes post-breach and ensuring victims are provided with necessary remedies. Kwon noted that previous inaction regarding budget allocations has led to complacency in security investments, especially in an era of increasing digitization.
Following the breach reported by Lotte Card on September 1, a thorough investigation was initiated, uncovering that hackers had infiltrated their online payment server and successfully exfiltrated 200 gigabytes of sensitive data over a two-week period. Among the exposed information were personal and financial details of 2.97 million customers, including 283,000 card PINs and CVC codes.
The approach of financial authorities has faced scrutiny for being reactive rather than proactive. Kwon defended their assessment, explaining that their initial judgment deemed the leaked information insufficient for facilitating fraudulent activities, yet they are now adjusting their risk categorization processes based on forensic evidence.
Moreover, this incident raises questions about the effectiveness of existing cybersecurity certifications, as Lotte Card had received ISMS-P certification just weeks prior to the breach. Observers have noted a pattern of delayed response in cybersecurity measures following similar incidents, highlighting a critical need for evolving security strategies.
Legal experts emphasize the risks posed by IT security failures, stating, “The level of accountability must be elevated. As cyber threats evolve, financial institutions are urged to adopt nuanced, adaptable security measures.” This call to action from industry leaders underlines the pressing need for sectors reliant on consumer trust to enhance their cybersecurity frameworks significantly.
This article was originally authored in Korean and translated by a bilingual reporter, assisted by generative AI tools. It has been edited by a native English-speaking editor. All AI-assisted translations are subject to newsroom review.
BY PARK YU-MI [[email protected]]
