South Korean fintech companies' customer data transfers to Alipay, a Chinese payment platform, are setting off private data breach alarm bells amid rising concerns that Chinese payment platforms could serve as personal information leakage channels in South Korea.
On Tuesday, the Financial Supervisory Service (FSS) said its probe into Kakao Pay Corp. between May and July of this year found the fintech company provided 54.2 billion cases of customer information to Alipay since April 2018.
It gave the data to Alipay once a day, with some data given without the customers' consent, according to the regulator.
The transferred information is related to 40.45 million people, about 80% of the South Korean population. It included Kakao Pay users’ account IDs, mobile phone numbers, email addresses and their bill payment history, as well as the balance of their deposits at the fintech account.
In 2023, the fintech arm of Kakao Corp., South Korea’s dominant mobile platform, handled a total of 140.9 trillion won ($104 billion) in transactions.
For cross-border transactions, e-commerce users must agree to provide their personal information to digital wallet operators such as Kakao Pay and Alipay+.
But the FSS pointed out that Kakao Pay has shared almost all of its customer data with Alipay. It claimed Kakao has provided more data on its users than necessary to the Chinese payment platform, saying that could lead to the misuse of personal information.
The financial watchdog is mulling penalizing Kakao Pay for the alleged private information breach.
Ryan is Kakao's most popular mascot But Kakao Pay refuted the FSS’ finding and said its user information transfer to Alipay was not illegal.
It argued that the information sharing with Alipay was necessary to settle cross-border transactions and was done legally.
NAVER PAY, TOSS PAYMENTS
Its two domestic peers – Naver Pay and Toss Payments – were also found to have transferred customer information to Alipay since they formed partnerships with Alipay+, a cross-border payment service provider.
Korean fintech companies argue that the personal information they provided to Alipay was encrypted, and thus nearly impossible to be misused by Chinese companies.
But the FSS said that Kakao’s encrypted customer information could be decrypted without difficulty because it used publicly available encryption programs.
In the absence of standardized regulations for fintechs’ personal information handling in South Korea, domestic regulators are tightening their scrutiny over Chinese e-commerce players and their payment apps as they are threatening homegrown online retailers such as Coupang Inc. and Gmarket Inc.
Last month, South Korea slapped a fine of 2 billion won ($1.4 million) in addition to a penalty of 7.8 million won on AliExpress for violating South Korea’s privacy laws.
The country’s Personal Information Protection Commission (PIPC) said AliExpress provided information about customers in South Korea to about 180,000 sellers in other countries, mostly in China, without taking measures required by the Personal Information Protection Act.
AliExpress was the first company punished for violating overseas personal data transfer procedures required by law, according to the authority.
Ant Group, the parent company of Alipay, is Kakao Pay’s second-largest shareholder with a 32% stake. The Chinese financial services group also controls 32.71% of Toss Payments as its No. 2 shareholder.
