Seven & I Holdings Co. said Thursday that it will scrap its hacked smartphone payment service, just one month after its debut, as it struggles to resolve security issues.
The Tokyo-based retail giant and operator of 7-Eleven convenience stores said it will end the service on Sept. 30, because it will likely take some time to construct a more robust system able to resume all the features from 7pay and that customers’ trust in the service has been shaken.
“We deeply apologize to customers who have trusted us and are using our barcode payment service as well as to all people involved with this service,” said Katsuhiro Goto, vice president at Seven & I Holdings, during a news conference in Tokyo.
The company also said that 808 users had been affected by the ¥38 million hack as of July 31. Seven & I Holdings said it will compensate all those targeted, adding that it has not seen any new cases since mid-July.
The service uses barcodes and QR codes together with a smartphone app. It was launched and was available from 7-Eleven stores on July 1, but complaints of unauthorized transactions started to pour in just one day later.
The firm halted payments loading 7pay accounts with funds from customers’ credit and debit cards on July 3. Currently, the service only enables users to make payments from their existing balance. It is not accepting new users, either.
As for how hackers accessed the system, Seven & I Holdings said it’s highly likely that they acquired lists of IDs and passwords for other web services and targeted those who used the same IDs and passwords for 7pay.
Seven & I Holdings admitted that its security measures for 7pay were inadequate, also acknowledging that its risk management process had failed.
The decision to end the cashless service came just two days after Seven & I Holdings reset all passwords for its 7iD users. 7iD is an online user ID used for Seven & I Holdings’ internet shopping services.
Goto said that its 7iD service maintains an appropriate level of security but that the firm reset the passwords as an extra security measure. He said that the password reset for 7iD and the 7pay situation are different issues.
Although it will terminate the 7pay service, Seven & I said it will consider introducing another cashless service in the future when the opportunity arises and as digital payments become more widespread.
As the Japanese government is heavily promoting the use of cashless payments, the security breach at Japan’s biggest convenience store chain might hinder momentum.