Lotte Card's Cybersecurity Spending Stays Below 10% of IT Budget

Photo Image
Cho Jwa-jin, then CEO of Lotte Card, and company executives apologize to customers over the cyberattack at the Booyoung Taepyeong Building in Jung-gu, Seoul. Photo by Lee Dong-geun / foto@etnews.com

Lotte Card, which suffered a large-scale personal data breach last year, allocated less than 10% of its total IT budget to information security in 2025, raising questions about the company's cybersecurity investment. Industry observers say the decline in security spending that began after the company was acquired by MBK Partners has continued.

According to Lotte Card's information security disclosure released on June 25, the company invested KRW 12.57 billion in information security last year, accounting for 9.8% of its total IT spending of KRW 128.37 billion. The company employed the equivalent of 36.5 dedicated cybersecurity personnel, including 28.1 internal staff and 8.4 external specialists.

The disclosure marks the first public update on Lotte Card's cybersecurity status since the hacking incident in August 2025. Despite emergency security measures and additional investments following the breach, information security spending accounted for only 9.8% of the company's annual IT budget.

The reported figure reflects total annual security expenditures, including emergency investments and response measures implemented after the cyberattack.

Photo Image

Concerns have persisted that Lotte Card scaled back its cybersecurity investment after its acquisition by MBK Partners. According to data submitted by the Financial Supervisory Service (FSS) to the office of Rep. Kang Min-kook of the People Power Party, the company's information security budget fell from 14.2% of total IT spending in 2020 to 9.0% last year. As security investment steadily declined, the major cyberattack last year fueled criticism that MBK's cost-cutting strategy may have come at the expense of cybersecurity.

Investigators found that one of the key causes of the breach was the company's failure to apply a security patch for an online payment server vulnerability that had been publicly disclosed in 2017. Cho Jwa-jin, then CEO of Lotte Card, acknowledged before the National Assembly that the security patch had not been installed. Industry experts said the incident reflected not only a cyberattack but also shortcomings in the company's basic security management practices.

The breach exposed the personal information of approximately 2.97 million customers. The FSS imposed sanctions including a 4.5-month business suspension, a KRW 5 billion fine, and a formal reprimand for former CEO Cho. The Financial Services Commission (FSC) is expected to finalize the penalties next month.

In its latest disclosure, Lotte Card said it has implemented a Web Application Firewall (WAF), Extended Detection and Response (XDR), and Attack Surface Management (ASM). Following the data breach, the company also pledged to invest KRW 120 billion in cybersecurity over the next five years, increasing information security spending to 15% of its IT budget. The plan includes expanding proactive security measures such as ASM for identifying network vulnerabilities and establishing a dedicated red team to simulate cyberattacks.

A Lotte Card spokesperson said the company voluntarily disclosed its cybersecurity status to improve transparency and strengthen accountability, adding that it plans to invest KRW 120 billion in information security over the next five years while raising cybersecurity spending to 15% of its total IT budget.

· This article was translated using AI and was published after final review by the reporter.