Three Major Credit Rating Agencies Voice Credit Concerns Over Lotte Card Data Breach

The three major domestic credit rating agencies have raised multiple concerns about Lotte Card, which suffered a massive personal data breach due to hacking, including a decline in profitability and credit rating. With hundreds of billions of won in fines and the potential loss of a large number of customers, it is expected that the negative impact on the company’s credit rating will be unavoidable.

According to the Financial Supervisory Service and the Financial Security Institute on September 23, 2025, last month, Lotte Card experienced a hacking attack on its online payment server, resulting in the leakage of personal information of 2.97 million customers. The leaked information included names, dates of birth, mobile phone numbers, card numbers, addresses, and financial transaction details. Approximately 30% of all Lotte Card customers were affected. Among the 2.97 million victims, 280,000 had registered new card information for payment services during the hacking period, resulting in the exposure of sensitive information such as passwords and CVC numbers, which could be used for fraudulent transactions, causing even greater damage.

Korea Ratings (KR) assessed that, due to this hacking incident, Lotte Card will face significant short-term financial burdens from card reissuance and compensation for damages, as well as fines imposed under the Personal Information Protection Act.

Short-term expenditures include card reissuance costs, the expense of providing interest-free installment plans and credit care services until the end of the year, card usage alert service costs, and the burden of waiving next year’s annual fees for the 280,000 customers whose information could be fraudulently used. Although there have been no compensation claims reported so far, since the company has promised to fully compensate for secondary damages, it is necessary to continue monitoring for the possibility of additional costs.

In particular, KR pointed out that the maximum fine that can be imposed under the Personal Information Protection Act is estimated at 80 billion won. However, based on recent similar cases, the actual fine is expected to be lower than the maximum limit. Additionally, some Lotte Card customers are preparing a class action lawsuit, so litigation costs arising from court proceedings are also expected to be a burden.

In the mid- to long-term, there are concerns about a shrinking customer base due to customer attrition and declining trust. KR noted that in the increasingly competitive credit card industry, a weakened customer base could have a greater negative impact on credit ratings in the mid- to long-term.

No Hyoseon, a senior researcher at KR, stated, "The social repercussions of this Lotte Card customer information leak are significant," and predicted, "A decline in market share due to customer cancellations is inevitable to some extent." No further explained, "If a business suspension penalty similar to that imposed in 2014 is enforced, Lotte Card’s business foundation could be further weakened, especially given the intensifying competition for market share."

Korea Investors Service (KIS) and NICE Investors Service (NICE) have also expressed concerns about a decline in Lotte Card’s credit rating. KIS noted that SK Telecom was fined 134.8 billion won, equivalent to 1% of its sales, for a data breach, and estimated that if this standard were applied to Lotte Card, it could face a fine of approximately 27 billion won. This amount is equivalent to 20% of last year’s net profit. KIS also warned that if fraudulent transactions occur using the leaked information, the compensation amount could increase significantly, and there is a possibility of paying damages due to consumer class action lawsuits.

KIS further diagnosed that a decline in brand image could lead to a decrease in new member acquisition, thereby weakening the company’s revenue base. Considering that the annual proportion of new individual members is in the 10% range, a decrease in new members would have a significant impact on overall performance.

An Taeyoung, a senior researcher at KIS, stated, "Amid ongoing unfavorable industry conditions such as reductions in merchant commission rates and rising delinquencies in card loans, Lotte Card was already experiencing a sharp decline in performance due to a series of large-scale defaults, including factoring loans and Homeplus corporate card payments, earlier this year." He added, "This customer information leak is expected to be a major obstacle to performance recovery, and if poor performance persists over the long term, the burden of managing the company’s credit rating will increase."

Kim Seokwoo, a senior researcher at NICE, emphasized, "We plan to monitor the impact of this incident on Lotte Card’s actual number of members and changes in its membership base," adding, "If we determine that there has been a significant change, it may be reflected in the company’s credit rating."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.