According to Seven-Eleven, some 900 customers using its mobile payment service called 7pay have lost a total of 55 million yen ($510,000) due to unauthorized access to their accounts.
In Japan, we often think of Seven-Eleven as one of the big “black companies”. Many people feel sympathy for the franchise owners who were forced to work long hours, but at the end of the day, it was someone else’s problem, and many consumers continued to patronize the convenience store chain. However, earlier this month, a new problem hit Seven Eleven, and it hits the consumers directly: the fraudulent use of the store's 7pay payment service. And consumers are taking this issue very seriously.
Overview of 7pay fraud
According to Seven-Eleven, some 900 customers using its mobile payment service called 7pay have lost a total of 55 million yen ($510,000) due to unauthorized access to their accounts. Tsuyoshi Kobayashi, president of Seven Pay Co., said the company will compensate users for the losses caused by fraudulent access. But the fact that it took two days to suspend accepting the 7pay service since the original fraud reported suggests that Seven Pay was not taking its security problems seriously enough.
Furthermore, it was revealed that they did not apply two-step authentication (2SA) for payment. What’s worse, at the press conference, Seven Pay representatives didn’t think the lack of 2SA was problematic (they later changed their mind, though)!
If this had happened to the EU residents, Seven Pay could have been fined under Data-Principle 6 of GDPR, which says that data must be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing." The guidelines, formulated by the Payments Japan Association, a body that promotes cashless transactions, requires the operators of mobile payment services to
Two Chinese men were arrested on suspicion of attempted fraud using information obtained through unauthorized access to 7pay, and the involvement international criminal organizations is suspected. Japan Times says “The Ministry of Economy, Trade and Industry has determined the operator, Seven & I Holdings Co., failed to strictly follow guidelines to prevent unauthorized access and warned providers of similar services to ensure they confirm the identity of users.”
The Cost of Security Negligence
Seven-Eleven is forced to invest a large number of personnel for large-scale investigations and countermeasures in addition to compensation for the total damage of 55 million yen in this data breach case, causing enormous financial costs. But the real cost of security negligence might be much bigger. Namely, The fallen reputation of the 7pay brand! As a late comer to the cashless payment industry, they should have been fully prepared for the security risks. Instead, time will tell how much damage the brand took from the immediate security blunder right after the service started.
The Key Lesson: Security comes first
This 7pay incident was intensely reported in Japan and many security professionals pointed out their lack of security consciousness. I really don’t know how to react - just repeating the sentence “security comes first.”
In case you are like me, please take a look at your company’s security preparation. Multi-factor authentication, Secure folder sharing, Data encryption in transit and at rest, and centralized access control are only few of the important functionalities company systems should have for security.