Kakao, the South Korean tech heavyweight known for its popular messenger, has suffered another setback as its mobile payments unit, Kakao Pay, allegedly shared the credit and personal data of some 40 million customers with Chinese fintech firm Alipay without their consent, touching off a firestorm of public criticism.

On Tuesday, the Financial Supervisory Service revealed that Kakao Pay had provided extensive information on all its users, including usernames, phone numbers, email addresses, balances and transaction records, to Alipay.

The revelation, based on an on-site inspection, showed that a whopping 54.2 billion points of personal data from 40.45 million Kakao Pay customers were leaked from April 2018 until recently.

Kakao Pay is also accused of improperly sharing unnecessary credit data of overseas payment customers with Alipay, including usernames and phone numbers. Since November 2019, the company has allegedly transferred some 550 million pieces of such data.

As for the sensitive allegations that could undermine its corporate credibility, Kakao Pay claimed in a statement that there was no illegal act in sharing customers’ personal information, saying it was a “standard procedure” related to data processing for payment services on Apple’s app store.

On Wednesday, Kakao Pay said it stopped providing customer data to Alipay in mid-May and offered an apology for the confusion. The company claimed the transfer complied with the country’s credit information regulations and the personal data in question was encrypted in a way that would make it impossible to identify individuals.

But the FSS said that Kakao Pay did not obtain customer consent for sharing personal information. Kakao Pay also failed to seek consent for transferring the data outside of Korea, since Alipay is a foreign company, and the encryption program involved required user consent under the related law, the financial regulator added.

But there are a slew of questionable details that should be clarified and confirmed since the FSS and Kakao Pay offer conflicting explanations about the practice.

Aside from disputes in the legal arena, it seems clear that Kakao Pay is unlikely to avoid public scrutiny and negative impact. Over 40 million people have used Kakao Pay, a leading mobile payments player with 24.7 million active monthly users as of July. Kakao Pay is also classified as what a “my data provider,” which means it handles sensitive financial data about customers.

The incident itself is shocking in that such a huge amount of personal information had been shared with a Chinese company in a possible violation of related domestic rules.

In South Korea, some people, who remain skeptical about the overall privacy protection of Chinese firms, are reluctant to sign up for Alipay, Hoyobus’ popular game Genshin Impact and even short-form video platform TikTok, fearful that their personal data might be illegally shared and abused as marketing tools in consideration of the growing number of phishing and hacking attempts coming from sources based in China.

Worries about hacking and privacy problems linked to China are not groundless. The extent of technology theft by Chinese firms has been on the rise in recent years. And last week an intelligence official was referred to the prosecution over the alleged leak of information on South Korean “black agents” operating overseas to a Chinese national of Korean descent.

The dispute over Kakao Pay also comes after Kakao founder Kim Beom-su was arrested last month for alleged stock price manipulation regarding the takeover of K-pop powerhouse SM Entertainment.

The back-to-back incidents are amplifying the crisis at Kakao and its affiliates in terms of corporate credibility. To restore its reputation, Kakao Pay has to make efforts to clarify its position with detailed facts and data, rather than focusing on technicalities and legal issues. The government and financial authorities are also required to strengthen personal data protection rules, targeting platform business operators.