Credit Rating Firm Kaola Accused of Privacy Breach

Kaola Credit, the credit rating service of leading payment company Lakala Payment, was accused of illegally storing and selling users’ personal data for millions of dollars, a case underscoring concerns about privacy breaches in the country’s booming fintech sector.

Beijing-based Kaola Credit was among seven companies caught up in a police crackdown on illegal use of personal data in Huai’an, central China’s Jiangsu province, state broadcaster China Central Television (CCTV) reported Wednesday.

The companies are suspected of illegally storing more than 100 million entries of personal and financial data. Kaola Credit was found to be illegally selling access to user data since 2015 in a massive leak of personal identity information. Kaola Credit was accused of providing illegal identification verification 980 million times for companies engaged in illicit operations and pocketing more than 38 million yuan ($5.4 million) from the business, according to the report.

Chinese regulators have stepped up scrutiny of how tech companies collect personal information as part of efforts to contain risks in the internet finance sector.

Since mid-September, multiple big data and data scraping companies as well as online lenders in Beijing, Shanghai, Shenzhen, Guangzhou and Hangzhou have been checked by authorities. The crackdown and wave of investigations was triggered when some online lenders were found using borrowers’ personal information to facilitate debt collection.

Lakala, Kaola Credit’s largest shareholder with 32.4%, tried to distance itself from the troubled unit, saying Kaola Credit has remained independent in financial and business operations. However, the market shunned Shenzhen-listed Lakala amid the news. The stock dropped by its daily limit of 10% Wednesday to close at 49.29 yuan.

The Shenzhen stock exchange late Wednesday issued a letter to Lakala requiring more disclosure on the company’s ties with Kaola Credit and elaboration on its business compliance.

Police arrested more than 20 people from Kaola Credit and another Beijing-based credit rating company called APiX, including the companies’ legal representatives, chairmen, and sales and technology executives, according to CCTV.

Kaola Credit said in a statement that authorities are still collecting evidence and the company is assisting in the investigation.

The company was established in 2014 with registered capital of 50 million yuan. Other shareholders besides Lakala include a Lhasa, Tibet-based investment fund and digital marketing company BlueFocus Communication Group Co. Ltd.

Kaola Credit is among the eight credit rating companies, along with Tencent Credit, Sesame Credit and Ping An Bank’s Qianhai Credit, that each own 8% of Baihang Credit Scoring, China’s national credit rating system.

Sources close to the matter told Caixin that authorities made inquiries of some executives at Kaola Credit on the issues as early as October 2018. The company has since dropped the identity verification business, and some senior Kaola Credit executives have been transferred to other posts in Lakala, sources said.

Regulators have issued a series of documents to address the issue of abuse and misuse of personal information.

Public security authorities have filed 29 breach of privacy cases and detained 288 suspects for illegal gathering of 468 million entries of personal data. The cases involve illegal gains of more than 94 million yuan, CCTV said.

According to the China Justice Big Data Service Platform, more than 30% of online crimes involve fraud and 20% are enabled by leaked personal information.

Contact reporter Han Wei (weihan@caixin.com)