Kakao Pay has apologized to its customers following a personal information breach. The company was fined 8.3 billion won (US$5.8 million) by South Korea’s Personal Information Protection Commission (PIPC) for transferring personal data without customer consent.
Kakao Pay, along with Apple Pay, was found to have shared the personal details of approximately 40 million users with China’s Alipay without notifying or obtaining consent from the users, violating South Korea’s Personal Information Protection Act.
The PIPC’s decision, announced on Thursday, highlights that both Kakao Pay and Apple Pay failed to adhere to proper data transfer protocols. Kakao Pay has said it will review its policies and response measures to prevent future incidents and improve its compliance with data protection regulations.
The investigation found that Kakao Pay shared the personal information of approximately 40 million users with Alipay from April to July 2018 without obtaining proper consent. This data, which included sensitive details such as phone numbers, email addresses, account balances, and subscription dates, was used to generate an “NSF score” for Apple’s payment services.
The score, which ranged from 0 to 100, evaluated the probability of insufficient funds during grouped microtransactions. Data spanning 24 categories was shared and updated on a daily basis, with Alipay providing the results to Apple upon request.
The data transfer affected all Kakao Pay users, regardless of whether they used Apple Pay. Less than 20% of Kakao Pay users had registered Apple Pay as a payment method, yet information belonging to non-Apple users, including Android customers, was also shared. Neither Kakao Pay nor Apple disclosed these practices in their privacy policies or notified users about international data transfers.
The Personal Information Protection Commission (PIPC) fined Kakao Pay 5.5 billion won (US$4.2 million) for these violations and issued a corrective order to address compliance gaps. The company was also instructed to disclose the breach publicly on its website and app. Apple faced a penalty of 2.2 billion won (US$1.7 million) for outsourcing data processing to Alipay without user consent and failing to inform users about cross-border transfers.
Additionally, the PIPC ordered Alipay to destroy its NSF score calculation models built using the unlawfully transferred data. Kakao Pay has since issued an apology, expressing regret over the situation and vowing to carefully review its response measures to prevent similar incidents in the future.
The PIPC concluded that Kakao Pay’s transfer of all users’ personal information to Alipay for Apple’s payment evaluation constituted an “overseas transfer without legal grounds.” As a result, the commission imposed a fine of 5.968 billion won (approximately US$4.4 million) on Kakao Pay and corrective orders to ensure compliance with legal requirements for cross-border data transfers.
The company was also instructed to publicly disclose the violations on its website and app. Similarly, Apple was fined 2.45 billion won (US$1.8 million) for failing to inform users about its data outsourcing practices and 2.2 million won for not disclosing the transfers in its policies.
The PIPC clarified that the issue is limited to violations of personal information protection laws, with financial regulators such as the Financial Supervisory Service expected to investigate the unauthorized sharing of financial data further. Kakao Pay expressed regret over the ruling, stating that it believed the data transfer was necessary to ensure secure payments but pledged to review its compliance measures and improve its practices.
