Kakao Pay leaked personal data to China's Alipay: FSS

Industry

Kakao Pay leaked personal data to China's Alipay: FSS

Published: 13 Aug. 2024, 15:57 Updated: 13 Aug. 2024, 20:09

LEE JAE-LIM
lee.jaelim@joongang.co.kr

A website screen capture of Kakao Pay [SCREEN CAPTURE]

An investigation by the nation's financial regulator has found that Kakao Pay, the mobile payment service affiliated with Korea’s social media giant Kakao, had leaked its customers’ personal data to the Chinese mobile payment service Alipay.

The Financial Supervisory Service (FSS) said on Monday that an inspection of Kakao Pay's foreign exchange transactions from May to July found that the company transferred personal credit information to Alipay without receiving consent from users.

The FSS said it is considering imposing sanctions on Kakao Pay for violating the Credit Information Use and Protection Act, which requires user consent to be obtained before personal credit data is shared with another party, and the Personal Information Protection Act mandating that the company also secure consent to transfer the private information across borders, as Alipay is based overseas.

Kakao Pay consistently provided personal credit data without consent in 54.2 billion instances from April 2018 until now, even if the user did not make overseas purchases, with information ranging from the users' Kakao account IDs to masked email accounts or cellphone numbers and order information such as time and purchase volume, the FSS said on Tuesday.

For overseas purchases, Kakao Pay transferred "unnecessary" personal data regarding Kakao account IDs, order information and purchases in 550 million instances from November 2019 to the present.

The transfer was part of Kakao Pay’s attempt be added as a payment method in the Apple App Store.

Apple requires payment services seeking to join its app store to supply customer-related data. Kakao Pay's customer information data was reportedly masked before being handed over to Apple — a job that was outsourced to an Alipay affiliate, which constituted a data breach.

It was reported that the data never even reached Apple, its intended target.

Kakao Pay released a statement Tuesday denying the allegation, stating that the entire process “is a legitimate outsourcing of customer information to provide a payment method on Apple’s App Store.”

“Unlike other foreign operators, Apple requires a higher level of fraud prevention processes,” Kakao Pay said. “To meet this requirement, Apple has long been collaborating with Alipay.”

Regarding the personal data provided to Alipay, the company stated that “according to Article 17, Paragraph 1 of the Credit Information Use and Protection Act, consent from the data subject is not required when personal credit information is outsourced for processing.”

The data was also “thoroughly” encrypted in such a way that it could not be used for means other than fraud detection, Kakao Pay said, adding that it had checked with Alipay separately that the information was not utilized for other purposes such as marketing.

An attorney who served as a member of the FSS' disciplinary committee, on the other hand, has raised a question mark over whether Kakao Pay’s outsourcing could be as legitimate as that the company claims.

“Service outsourcing is similar to an e-commerce company providing customer addresses to couriers,” the attorney said. “It involves outsourcing personal information necessary for the primary business. In such cases, the use of personal information must remain within the scope agreed upon by the data subject, and the details of the outsourcing arrangement must be disclosed. Whether Kakao Pay’s case falls into this category is questionable.”

Regarding whether it disclosed the fact that the personal data had been shared with a third party, Kakao Pay answered that the matter was “undisclosable.”

Suspicion is also rising over Kakao Pay’s connection to Alipay. The Korean service's second-largest shareholder is Alipay Singapore Holding with a 32.06 percent stake in the firm. Alipay Singapore Holding is an affiliate under China’s Ant Group, itself an affiliate of the Chinese conglomerate Alibaba Group, which owns and operates the Alipay service.

Kakao Pay is also a longstanding partner of Alipay’s global mobile payment service, Alipay+, supporting foreign transactions by domestic customers as well as transactions in Korea by foreign customers.

Kakao Pay has claimed that the decision to utilize Alipay's system was made on a recommendation from the U.S. tech giant.

“It was Apple who recommended the outsourcing of the data for masking to Alipay,” Kakao Pay said. “It is not because Alipay sits as a primary shareholder.”

If Kakao Pay’s data breach is evaluated as a violation of law, the harshness of sanctions may be elevated.

“Violations of the credit information act can be subject to criminal penalties, but they are also serious enough to warrant severe regulatory sanctions by the financial authorities,” said an FSS official.

The FSS said that it will look into other payment services to probe whether similar instances of personal data breaches have occurred.

Following the news, Kakao Pay's shares plunged 5.61 percent to close at 23,550 won ($17.19) on Tuesday.

BY KIM NAM-JUN,LEE JAE-LIM [lee.jaelim@joongang.co.kr]