Lotte Card’s business outlook dims as data breach sparks financial, regulatory strain

Lotte Card is confronting heightened operational risks after a recent cyberattack compromised the personal information of nearly 3 million customers, analysts said Sunday.

The incident is expected not only to drive up short-term costs, but also to heighten credit downgrade risks and regulatory exposure.

The most immediate concern is the near-term cost burden as the company scrambles to contain fallout from the incident.

At a press conference on Thursday addressing the data breach, Lotte Card announced customer support measures — including card reissuance, annual fee waivers and interest-free services — which are projected to cost the company several billion won.

“Even excluding these one-off costs, the planned investment of 110 billion won ($79.2 million) over the next five years in information security is expected to pose a medium- to long-term financial burden,” said Ahn Tae-young, an analyst at Korea Ratings.

“The customer data breach is expected to serve as a significant obstacle to the company’s performance recovery.”

Meanwhile, Korea’s three major credit rating agencies — Korea Ratings, Korea Investors Service (KIS) and NICE Investors Service — have announced plans to intensify their monitoring of Lotte Card’s credit profile. The breach raises the risk of a downgrade from Lotte Card’s current AA- rating.

For credit card issuers without deposit-taking capabilities, any downgrade can significantly increase funding costs and strain liquidity. Lotte Card faces 4.7 trillion won in asset-backed bonds maturing next year, further amplifying refinancing pressure.

Beyond financial concerns, the breach presents substantial regulatory risk, with financial authorities weighing heavy sanctions under a zero-tolerance approach.

Potential penalties under the Personal Information Protection Act could be up to 3 percent of a company’s total revenue — amounting to as much as 80 billion won in Lotte Card’s case. A temporary suspension of business operations is also under consideration.

“The social impact of the customer data breach is considerable, and a decline in market share due to customer cancellations is expected to be inevitable to some extent,” said Roh Hyo-sun, an analyst at KIS.

“If (a three-month) business suspension penalty similar to those issued in 2014 is imposed, Lotte Card’s position could be significantly weakened — especially in today’s increasingly competitive market.”

As of Sunday, over 2,450 card customers have joined an online community for victims. They argue that the current compensation plan does not reflect the scale or severity of the harm they have experienced. In a notice, the community stated that it “plans to proceed with formal legal action in partnership with a law firm once a sufficient number of participants is secured.”

Tensions with Lotte Group, which sold Lotte Card to MBK Partners in 2019, could complicate matters further. On Sunday, the conglomerate publicly criticized Lotte Card for damaging the brand’s reputation and urged swift action to minimize harm to customers.