 |
Photo courtesy of Yonhap News |
[Alpha Biz= Paul Lee] SEOUL, September 18, 2025 – South Korea’s Financial Security Institute (FSI), a non-profit corporation supervised by the Financial Services Commission, has come under scrutiny after it awarded ISMS-P certification to Lotte Card just two days before a massive customer data breach.
On September 12, FSI granted Lotte Card the Information Security Management System–Personal Information Protection (ISMS-P) certification, considered the nation’s most authoritative standard for data and information security. However, beginning on September 14, hackers exfiltrated an estimated 200GB of customer data, raising doubts about the robustness and reliability of the certification framework.
The ISMS-P system is based on Korea’s Personal Information Protection Act and is one of the few certification regimes in the country carrying quasi-public authority. As of August 29, only 48 financial institutions nationwide had received the certification.
Founded in 2015, FSI is Korea’s sole financial security body officially tasked with supporting government ministries and regulators such as the Financial Supervisory Service (FSS). FSI has also joined the ongoing investigation into the Lotte Card hacking case.
Industry observers argue that FSI may have failed to properly assess Lotte Card’s security infrastructure during the certification process. Critics add that since ISMS-P accreditation allows certified companies to receive benefits such as reduced regulatory penalties, the certification body should apply stricter due diligence and oversight.
Alphabiz Reporter Paul Lee(hoondork1977@alphabiz.co.kr)
