[Reporter’s Notebook] Why Lotte Card Consumers Remain Angry

Announced Full Compensation and Personnel Overhaul,
But Failed to Present Fundamental Solutions to Prevent Hackers
Lack of Tailored Support for Vulnerable Groups and Consideration for Secondary Damages

On September 18, Lotte Card CEO Cho Jwajin and the company’s management bowed their heads and issued a public apology regarding the hacking incident. CEO Cho emphasized accountability by mentioning not only full compensation for all damages, but also the possibility of resigning from his position. In effect, he presented a written statement of reflection to the public, pledging to regain customer trust.

He also announced that the proportion of the company’s information security budget would be raised from the current 10% to 15%, the highest level in the industry, compared to the total IT budget. Cho stated that all personnel changes, including his own resignation, would be completed by the end of the year. This signifies a determination to restore discipline and overhaul the system, even if it means spending more money and replacing people.

Despite the CEO’s sense of urgency, consumer anger has not subsided. The reason is clear: the company failed to provide a convincing answer to the fundamental question, “Can you prevent future hacking incidents?”

CEO Cho said, “We conducted penetration tests, but they were breached. By strengthening organizational authority, we will achieve top-tier security capabilities within three years.” Ultimately, this amounts to saying, “We tried, but we failed.” Moreover, a “promise for three years later” sounds hollow to consumers who are using their cards right now. If specific and immediately actionable measures had been presented-such as hacker intrusion prevention equipment or real-time internet protocol (IP) tracking and blocking-public distrust might have been alleviated.

It is also problematic that the company failed to offer tailored responses for financially vulnerable groups who struggle with digital devices, or measures to prevent secondary damages such as voice phishing. When asked, “How far does the scope of secondary damage compensation extend?” CEO Cho replied, “There could be cases where leaked customer information is used to open a new mobile phone and make small payments. If such incidents occur as a result of this breach, I believe we should compensate for those as well.” While this demonstrates a willingness to provide after-the-fact compensation, it lacks any proactive measures to protect vulnerable groups or a comprehensive strategy for responding to cybercrime, making it an empty statement.

CEO Cho confessed, “I haven’t slept properly for three weeks.” He also said he might step down from his position. While his determination to respond to the damage is evident, what is needed now is not the CEO’s emotional appeals or resolve.

After-the-fact, “closing the barn door after the horse has bolted” responses are no longer effective. The same prescriptions of “spending more money” and “replacing people” will not restore trust. The path for Lotte Card to regain consumer confidence is clear: the company must provide specific and practical explanations of when and how it will establish a sophisticated security system capable of blocking hacker attacks hundreds or even thousands of times. The entire financial sector-and indeed, the entire nation-is closely watching this situation.