TOKYO -- Seven & i Holdings' new mobile payment service has been hacked just days after its launch, dealing a blow to a key element of the Japanese convenience store operator's digital strategy.
Japan's second-largest retail group by sales on Monday rolled out 7pay, which lets users make purchases with a smartphone app at Seven-Eleven Japan's roughly 21,000 stores nationwide.
Just two days later, the parent of the chain confirmed that unauthorized charges had been made on some users' accounts after learning of them through customer feedback. Victims also tweeted about their experiences. One complained that unauthorized purchases had been made using funds added to the account from a linked credit card.
This marks a setback for digital payments in Japan, which ranks lower than Asian peers in the rate of cashless transactions. The country is hurrying to make itself friendlier to financial technology startups.
By early Thursday, Seven & i had confirmed about 55 million yen ($510,000) stolen from 900 or so 7pay users. The company has in effect suspended the service by stopping users from adding money to their accounts.
Tokyo police on Thursday arrested two Chinese nationals on suspicion of using other people's accounts to buy electronic cigarette cartridges worth about 730,000 yen from a 7-Eleven in Tokyo's Shinjuku Ward.
It was learned on Friday that one of the suspects received instructions about gaining unauthorized access to 7pay accounts via WeChat, a popular Chinese messaging app. The Metropolitan Police Department suspects the involvement of an international criminal organization.
7pay did not have two-step authentication to verify the identity of users when they log in to the service. Adding this and other new security features will take "at least three months," said one cybersecurity expert who asked not to be named. "And even that may not be enough."
Seven & i became one of the first companies in Japan to introduce its own electronic money when it debuted nanaco in 2007. But as mobile payments quickly shifted from contactless cards to smartphones, the group found itself rushing to catch up.
7pay marked the group's entry into payment apps, and Seven & i had planned to expand the use of the service to other retailers. But now even rivals worry that the incident will hurt consumer confidence in digital payments in general.
"This has thrown cold water on the market just as it was heating up," said a source at a payments company.
Hiroshi Mikitani, the billionaire founder and CEO of e-commerce group Rakuten, said: "The industry as a whole needs to make sure we raise the level of security."
The government's goal is for at least 40% of all payments to be cashless by the middle of the 2020s. Campaigns tied in with the consumption tax hike in October and the Tokyo Olympics next summer are expected to move the needle.
Various services have been launched in quick succession, but the hacking of 7pay could deter Japanese consumers from making the switch. It could also affect the timing of a reward program for cashless payments that the government has planned to link to the tax increase.
"I think there will be rising unease among consumers," said consumer finance writer Akio Iwata.
PayPay, a smartphone payment app operated by a joint venture of SoftBank and Yahoo Japan, also fell prey to unauthorized use in December, after it launched a major campaign offering incentive points worth 20% of purchase amounts.
Seven & i has a digital strategy of milking purchase data gathered though its vast store network. It has aggressively promoted 7pay, envisioned to play a key role in this strategy.
To encourage customers to shift to 7pay, Seven & i on Monday began offering fewer points for purchases made with its nanaco e-money.
Iwata said that Japan's cashless payment market stands out for its generous reward programs. As a result, "the market has overheated, and the quality of services has declined in some cases," he said.