South Korea’s Financial Supervisory Service has reportedly decided on a business suspension and an administrative fine for Lotte Card over a large-scale customer data leak, and also issued a disciplinary warning to former CEO Cho Jwa-jin.
Holding a top executive responsible in a financial-sector data breach carries clear symbolic weight. It signals that security failures will not be treated solely as an IT department mistake or only as the work of outside hackers.
In many past incidents, companies often ended accountability at the working level, focusing on system managers or contractors while the CEO issued an apology and stepped back. In digital finance, that approach is increasingly untenable because protecting customer information is a management issue tied to a company’s survival.
The leaked Lotte Card data is reported to involve about 2.97 million people. Some of it reportedly included key payment information such as card numbers and expiration dates. For consumers, that raises concerns beyond a privacy violation and could extend to potential financial harm.
A CEO’s responsibility does not disappear because the executive did not personally carry out the intrusion. Decisions on security budgets, staffing, contractor oversight, and whether internal controls and inspections function are management responsibilities. Attacks may be carried out by hackers, but vulnerabilities are created by organizations.
The move also sends a message across the financial industry. Nonbank firms such as card companies, insurers and brokerages have been criticized for moving quickly on digital transformation while investing relatively less in security and staffing. Information protection has at times been pushed aside by profitability and marketing competition.
Discipline alone, however, will not solve the problem. Penalizing a CEO does not automatically raise security standards. Financial firms need boards to regularly review cyber risk and strengthen the authority and independence of chief information security officers. IT budgets should be treated as investments in trust, not targets for cost cutting.
Beyond Cho’s individual case, the episode is a signal to CEOs across South Korea’s financial sector: taking custody of customer data also means taking responsibility for security. The practice of sharing credit for performance in executive meetings while shifting blame for failures to frontline staff should end.
Finance depends on trust, and trust begins with safety. The warning to Cho is not only a sanction against one person, but a step toward resetting expectations for executive accountability. CEOs should treat security review reports with the same seriousness as earnings results.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.