Alipay’s rise puts Korea on alert to private data breach

South Korean fintech companies' customer data transfer to Alipay, a Chinese payment platform, sets off alarm bells over private data breach, stirring concerns that Chinese payment platforms could serve as personal information leakage channels in South Korea.

On Tuesday, the Financial Supervisory Service (FSS) said its probe into Kakao Pay between May and July found that the fintech company had provided 54.2 billion cases of customer information to Alipay since April 2018.

It gave the data to Alipay once a day, with some of them not receiving their consent, according to the regulator.

The transferred information is related to 40.45 million people, about 80% of South Korean population. It included Kakao Pay users’ account IDs, mobile phone numbers, email addresses and their bill payment history, as well as the balance of their deposits at the fintech account.

In 2023, the fintech arm of Kakao Corp., South Korea’s dominant mobile platform, handled a total of 140.9 trillion won ($104 billion) of transactions.

To clear cross-border transactions, e-commerce users must agree to provide their personal information to digital wallet operators such as Kakao Pay and Alipay+.

But the FSS pointed out that Kakao Pay has shared almost all of its customer data with Alipay. It claimed Kakao has provided more data on its users than necessary to the Chinese payment platform, saying that could lead to the misuse of personal information.

The financial watchdog is mulling penalizing Kakao Pay for the alleged private information breach.

But Kakao Pay refuted the FSS’s finding and said its user information transfer to Alipay was not illegal.

It argued the information sharing with Alipay was necessary to settle cross-border transactions and was done in a legal manner.

NAVER PAY, TOSS PAYMENTS

Its two domestic peers – Naver Pay and Toss Payments – were also found to have transferred customer information to Alipay since they formed partnerships with Alipay+, a cross-border payment service provider.

Korean fintech companies argue that personal information they provided to Alipay was encrypted, so it is nearly impossible for Chinese companies to misuse them.

But the FSS said that Kakao’s encrypted customer information could be decrypted without difficulty because it used publicly available encryption programs.

In the absence of standardized regulations for fintechs’ personal information handling in South Korea, domestic regulators are tightening their scrutiny over Chinese e-commerce players and their payment apps as they are threatening the lead of Coupang Inc.

Last month, South Korea slapped a fine of 2 billion won ($1.4 million) in addition to a penalty of 7.8 million won on AliExpress for violating South Korea’s privacy laws.

The country’s Personal Information Protection Commission (PIPC) had said the AliExpress provided information about customers in South Korea to about 180,000 sellers in other countries, mostly in China, without taking measures required by the Personal Information Protection Act.

AliExpress was the first company punished for violating overseas personal data transfer procedures required by law, according to the authority.

Ant Group, the parent company of Alipay, is Kakao Pay’s second-largest shareholder with a 32% stake. The Chinese financial services group also controls 32.71% of Toss Payments.

Write to Hyeong-Gyo Seo and Hanjong Choi at seogyo@hankyung.com
 

Yeonhee Kim edited this article