Full Report
Choi Ji-won reports: Lotte Card said a hacking attack compromised the personal data of 2.97 million users, marking the biggest data breach this year. CEO Cho Jwa-jin on Thursday disclosed the findings of a probe by the Financial Supervisory Service and Financial Security Institute, in the first public announcement since regulators began investigating on Sept.... Source
Analysis Summary
# Incident Report: Lotte Card Massive Data Breach
## Executive Summary
Lotte Card suffered a significant data breach resulting in the compromise of personal data belonging to nearly 3 million users. The incident, which occurred on the company’s online payments server between July and August 2025, involved the exfiltration of over 200 gigabytes of transaction-related information. Lotte Card's CEO publicly announced the findings following an investigation initiated by financial regulators.
## Incident Details
- Discovery Date: September 2, 2025 (Date regulators began investigating)
- Incident Date: Between July 22, 2025, and August 27, 2025
- Affected Organization: Lotte Card
- Sector: Financial Sector (Credit Card/Payments)
- Geography: South Korea (KR)
## Timeline of Events
### Initial Access
- Date/Time: Unknown, breach occurred between July 22 and Aug 27, 2025.
- Vector: Attack targeted the company’s **online payments server**. (Specific initial vector not detailed in source)
- Details: The attackers successfully breached the server handling online transactions.
### Lateral Movement
- Details: Not explicitly detailed, but the scope suggests successful pivoting to access the transactional data repository.
### Data Exfiltration/Impact
- Details: Over **200 gigabytes of data** was exfiltrated. The data belongs to **2.97 million users**.
### Detection & Response
- Date/Time (Investigation Start): September 2, 2025 (When regulators began investigating).
- Date/Time (Public Announcement): September 18, 2025.
- Details: The incident was discovered when regulators (Financial Supervisory Service and Financial Security Institute) began an investigation on September 2nd. The CEO publicly disclosed the breach and apologized on September 18th.
## Attack Methodology
- Initial Access: Compromise of the **online payments server**.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Inferred movement to access data stored related to transactions.
- Collection: Gathering of data generated/collected during online transactions.
- Exfiltration: Over 200 GB of data was stolen.
- Impact: Large-scale customer data theft.
## Impact Assessment
- Financial: Not disclosed, but significant investigation costs and potential fines expected.
- Data Breach: Personal data of **2.97 million users**. Information includes:
- Connection information
- Virtual payment codes
- Internal identification numbers
- Type of easy payment service used
- Operational: Disruption related to the investigation and confirmation of the breach on the affected server.
- Reputational: Significant, described as the biggest data breach of the year at the time of reporting.
## Indicators of Compromise
- Network indicators: Not specified (Server IP addresses/domains defanged).
- File indicators: Not specified.
- Behavioral indicators: Unauthorized handling/extraction resulting in >200 GB egress from the online payments server.
## Response Actions
- Containment measures: Not detailed, but implied isolation/securing of the affected online payments server occurred prior to public announcement.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed beyond the disclosure of the probe findings.
## Lessons Learned
- The primary weakness stemmed from securing the **online payments server**, which held sensitive transaction data.
- Reliance on existing security measures proved insufficient to prevent unauthorized access and massive data exfiltration over a multi-week period.
## Recommendations
- Immediately conduct comprehensive external penetration testing focused on the newly compromised online payments server architecture.
- Review and enhance logging and anomaly detection specifically around large-volume data transfer from core transaction processing systems.
- Implement robust network segmentation between the public-facing web infrastructure and the payment processing back-end.