Over 40 million Kakao Pay users’ data somehow ended up with Alipay
Kakao Pay, a subsidiary of Korea’s WhatsApp analog Kakao, handed over data from more than 40 million users to the Singaporean arm of Chinese payment platform Alipay, without user consent, Korea’s financial watchdog revealed Tuesday.
The nation’s Financial Supervisory Service (FSS) concluded the data was shared illegally after an on-site inspection of Kakao Pay’s overseas payment division between May and July of this year. Among the personal data shared was Kakao Account ID, mobile phone number, email address, Kakao Pay subscription history, and transactions.
Kakao Pay has denied any illegal activity.
The partnership between Kakao Pay and Alipay is designed to allow Korean customers to pay with Kakao Pay at overseas merchants that take Alipay.
Kakao Pay thus claimed the data was shared as part of a business collaboration – that it was hiring a service to process data from Alipay rather than providing customer information to a third party. It argued that this meant consent was not required. It also claimed that all information was encrypted – and therefore not problematic.
The regulator responded by doubling down and clarifying its stance on Wednesday. It observed that the contract between the two companies did not specify that Alipay was processing data, and Kakao’s terms and conditions did not mention that it would use a data processing contractor.
Any such data processor should not be able to extract any value out of the data for profit themselves and entities that take on the processing role must be reported to FSS, the regulator asserted, indicating it thought the vast amount of data could be financially lucrative.
Sharing without consent is against the nation’s Credit Information Use and Protection Act, according to the FSS – but this case is particularly egregious because the information was transmitted out of Korea, to Singapore. To share data across borders, Kakao needed to undergo even more strenuous consent processes.
FSS also argued that sharing so much data was not necessary to enable overseas payments through a partner. The only necessary data needed to complete payments was order and payment information.
The Kakao subsidiary took the stance that extra information was needed in order to calculate if there were non sufficient funds (NSF), so that Alipay could mediate Apple Payment services and match user information to Apple IDs.
The FSS in turn cited concern that Kakao Pay and Alipay took credit information of all customers – not just the ones situationally applicable. Sending NSF information – when all Alipay needed to do was match users to Apple IDs – seemed a bit like overkill.
Furthermore, according to the regulator, the policy to share so much data had changed over time. “Kakao Pay did not provide Alipay with the credit information of overseas payment customers at the beginning of its partnership with Alipay,” it stated.
And as for that encryption? Kakao Pay used the most common encryption program found on the market, said the regulator. It was simple, did not input any random factor, and the Korean fintech never once changed the password.
The regulator plans to complete a thorough legal review and will conduct inspections of similar data misuse cases – presumably with other entities.
Ant Group, the parent company of Alipay, is the second-largest shareholder of Kakao Pay. Ant Group is an affiliate of Chinese tech giant Alibaba Group, operating as an independent business.
Local media cited industry insiders as expressing concern that Chinese entities might use the slurped Kakao Pay data for marketing purposes, or to inform their strategy when competing in the Korean market.
The Kakao Group is having a rough week. Kakao Pay shares plummeted from an already record low following the news of the data leak.
And just last Thursday, Kakao’s billionaire founder, Kim Beom-su (also known as Brian Kim), was indicted on charges of stock market manipulation. Kim has denied the allegations. ®
READ MORE HERE