In a sweeping move that has sent shockwaves through South Korea’s financial sector, the Financial Supervisory Service (FSS) is cracking down on major credit card companies following a series of high-profile personal information leaks. The disciplinary actions—starting with Lotte Card and soon to be followed by Woori Card and Shinhan Card—have set the industry on edge, with concerns mounting over both immediate penalties and the long-term impact on business operations.
The latest chapter in this unfolding saga began on April 12, 2026, when the FSS announced it would initiate strong disciplinary measures against Lotte Card. The catalyst: a hacking incident last year that resulted in the leak of personal data belonging to approximately 2.97 million customers, including the resident registration numbers of around 450,000 individuals. According to SegyeBiz, the proposed penalty is unprecedented in its severity—a 4.5-month business suspension, nearly 50% longer than the three-month suspensions handed out in the infamous 2014 data breach, and a fine that could reach up to 5 billion KRW (about $3.7 million USD). The FSS’s disciplinary committee is set to meet on April 16 to finalize the sanctions, which will then require approval from the Financial Services Commission.
But Lotte Card is not alone in the regulatory crosshairs. Woori Card is next in line, having suffered its own data breach in early 2024. In that case, the personal information of roughly 75,000 merchant clients—including names, phone numbers, and card membership status—was leaked to card recruiters and used for marketing without the merchants’ consent. The Personal Information Protection Commission already fined Woori Card 13.451 billion KRW (about $10 million USD) in March 2025, and the FSS is now reviewing the case for additional violations under the Credit Information Act. As one FSS official told Yonhap News, “The inspection regarding Woori Card’s merchant data leak has already been completed. We plan to focus on Woori Card’s penalties right after Lotte Card’s case is closed.”
Shinhan Card, too, is under scrutiny. From March 2022 to May 2025, the company experienced a leak involving approximately 192,000 merchant records—again, including sensitive identifiers like phone numbers and business registration numbers. Shinhan Card reported the breach to the Personal Information Protection Commission in December 2025, prompting a swift FSS inspection that wrapped up in early February 2026. Penalties for Shinhan Card are expected in the near future.
For the industry, the prospect of business suspensions is far more alarming than even the eye-watering fines. While fines—no matter how hefty—can be absorbed as one-off costs, business suspensions have lingering effects. During a suspension, companies are barred from signing up new customers, a blow that can lead to a significant erosion of market share and revenue. The lessons from 2014 are fresh in executives’ minds: following a three-month suspension that year, Lotte Card saw its membership drop by 800,000 in just twelve months, and overall credit card usage fell by 1.1%. Analysts at Korea Ratings estimate that Lotte Card could lose around 5 billion KRW per month during the 4.5-month suspension, totaling losses of about 20 billion KRW.
Industry insiders, quoted in FETV and Digital Times, warn that the domino effect of these penalties could trigger an industry-wide downturn. With card companies already grappling with reduced merchant fees, rising funding costs, and an uptick in bad debt expenses, the added burden of regulatory sanctions may force them to rethink their business strategies. “Regulatory pressure will inevitably increase spending on information security and internal controls,” said one banking sector source. “For the time being, card companies are likely to shift from aggressive expansion to a more risk-averse, compliance-focused approach.”
The card issuers, for their part, are scrambling to implement reforms and prevent future breaches. Lotte Card has announced a five-year, 120 billion KRW investment in information security, pledging to boost its security budget to 15% of total IT spending. Shinhan Card has established a dedicated privacy protection department and rolled out new tracking systems to detect and prevent unauthorized data leaks. Woori Card has overhauled its data access procedures, introducing double approval requirements and tying information security compliance to employee performance bonuses.
The regulatory crackdown is not just about punishing past mistakes—it’s also about setting a new standard for data protection in South Korea’s financial sector. According to Joongang Economy News, the FSS’s actions are designed to send a clear message: consumer data protection is non-negotiable, and companies must invest in robust safeguards or face severe consequences. The FSS has the authority to impose business suspensions of up to six months for consumer protection violations, and fines can reach as high as 5 billion KRW for breaches of the Credit Information Act.
For Woori Card, the fallout from its 2024 breach has already been substantial. Not only did the company pay a record fine, but it also faces the prospect of further penalties and operational restrictions. The leaked data was used without customer consent for marketing—a violation that regulators have made clear will not be tolerated. Shinhan Card’s case, though slightly different in scope, also underscores the need for tighter controls on employee access to sensitive data and more rigorous internal audits.
The industry’s response has been swift but not uniform. While all three companies have taken steps to bolster their defenses, the effectiveness of these measures remains to be seen. Some analysts, as reported by Chunji Ilbo, suggest that the real test will come when the next data breach inevitably occurs. Will the new systems and protocols be enough to prevent another crisis, or are more fundamental changes required?
Meanwhile, the broader economic environment is compounding the challenges faced by card issuers. The recent reduction in merchant fees has eroded core profitability, while rising interest rates have increased the cost of borrowing for both companies and consumers. Bad debt expenses are also on the rise, leaving little room for error as companies absorb the additional costs of compliance and security upgrades.
Despite the gloomy outlook, credit rating agencies remain cautiously optimistic about the sector’s resilience. While short-term costs are expected to rise, the overall creditworthiness of major card issuers is not seen as being at immediate risk. Still, as the FSS pursues its agenda of stricter oversight and tougher penalties, the industry’s margin for error has never been slimmer.
In the coming weeks, all eyes will be on the FSS disciplinary committee as it delivers its final verdicts. For South Korea’s card industry, the message is clear: the era of lax data security is over, and survival now hinges on earning back the trust of both regulators and consumers.