Kakao Pay, a leading mobile payment service in South Korea, was recently found by the Financial Supervisory Service (FSS) to have shared the personal credit information of 40.45 million individuals with Alipay, a financial payment company under China’s Alibaba, without obtaining customer consent. This data transfer included Kakao Pay IDs, mobile phone numbers, email addresses, and transaction histories of anyone who used Kakao Pay at least once over the past six years since April 2018.
The FSS released the findings from its on-site Inspection of Kakao Pay’s overseas payment services on Aug 13., revealing that Kakao Pay transmitted encrypted personal credit information to Alipay daily, amounting to a cumulative total of 54.2 billion records. An FSS representative noted, “Kakao Pay has approximately 25 million monthly users, and when including dormant and former customers, the data of over 40 million people was shared at least once.”
Alipay, which supports financial payments for 81 million merchants across 46 countries, including major platforms like Apple, Google, AliExpress, and Temu, is also the second-largest shareholder of Kakao Pay, holding a 32% stake. Since Kakao Pay lacks its own overseas payment network, it relies on Alipay for these services. However, the FSS discovered that Kakao Pay also provided the credit information of customers who did not utilize overseas payment services.
The FSS further expressed concerns about the encryption level used by Kakao Pay, stating that during testing, they were able to fully decrypt mobile phone numbers and Kakao Pay IDs using widely available decryption tools, with the exception of names.
In response, Kakao Pay stated, “There was no illegal provision of information,” and added, “We will provide further clarification during the follow-up investigation.” The FSS has indicated that it will proceed with sanctions promptly after a thorough legal review and will also investigate similar incidents.
Although the act of sharing encrypted personal credit information with Alipay is not inherently illegal, the concerns arise because Kakao Pay did so without obtaining customer consent, lacked a specific contract with Alipay for this data sharing, and provided excessive information, including data from customers who never used overseas payment services. Kakao Pay justified this by saying, “We shared the information of potential overseas payment customers because Apple requested it.”
Kakao Pay further clarified that it had a contract with Alipay and that the encryption level was robust enough to prevent easy identification of personal information. The company emphasized that the shared information was intended solely for assessing the creditworthiness of customers regularly using overseas payment services, as per their consignment agreement with Alipay.
