TransUnion Hong Kong was forced to suspend its online services on Thursday November 29th after a local newspaper reported that it was easily able to access the personal data of the city’s leader and finance minister.

While Chief Executive Carrie Lam Cheng Yuet-ngor has urged TransUnion to ensure the personal information of millions of Hongkongers is protected, police are investigating the company’s complaint about the unauthorised access to its data.

Chinese-language newspaper Ming Pao on Wednesday November 28th claimed it had easily obtained credit reports for a number of high-profile public figures, including Lam and Financial Secretary Paul Chan Mo-po due to TransUnion’s simple online authentication procedures.  The credit reporting agency, which holds the consumer information of 500 million people in more than 30 countries, said it had reported Ming Pao to police and temporarily suspended online services.

“Our preliminary findings indicate that the reporter accessed consumer information for a very limited number of Hong Kong consumers in violation of Hong Kong data privacy law,” the agency said. “We have contacted law enforcement to further investigate this matter.”

Lam said she had received a letter from TransUnion assuring her of remedial action.  “TransUnion, which holds the personal data of many Hong Kong citizens, has a responsibility to ensure effective security measures are in place to protect consumers’ interest,” Lam said.

The city’s banking regulator, the Hong Kong Monetary Authority (HKMA), through the Hong Kong Association of Banks (HKAB), demanded TransUnion immediately suspend its online credit report services. It also urged local banks involved to sign formal contracts with such agencies to ensure they followed privacy rules.

The HKAB said it had requested TransUnion to conduct a full investigation into the issue and take necessary enhanced security controls and measures as soon as possible.  TransUnion is not regulated by any official body in Hong Kong, even though it holds the consumer data of 5.4 million people in the city.

Lawmakers Charles Mok of the IT sector and Christopher Cheung Wah-fung of the finance industry urged the HKMA and the Office of the Privacy Commissioner for Personal Data to address the issue immediately.

“The issue is not just its sloppy authentication system, it is also about why it is not regulated by the HKMA,” Mok said. “Why should I pay for a third party to know my own credit data or why do I need to enter into a marketing relationship with another commercial entity to get a glimpse of my own credit profile, which should be free of charge? Is this reasonable?”

TransUnion compiles credit reports after obtaining consumer data from banks or money lenders, which then use the information to evaluate customers’ financial strength.  On its website the company says the credit reports it has amassed contain personal data, repayment records for credit accounts, and details of credit applications including credit cards, personal loans and mortgages.

Mok said TransUnion’s business model had gone beyond that by commercialising consumers’ credit data.

The HKMA said the credit information service provided by the company did not come under its regulatory reach.

“This is the loophole,” Mok said. “The original business model was just sharing information between the company and banks or lending institutions when customers are trying to get a loan. But there are institutions that can read your profile and pitch for lending services or, even worse, by expanding their services to make a profit out of the data. Is it fair to consumers? It has moved beyond its original business model.”

Members of the public who want to access their personal profile on TransUnion are charged HK$280.  Lawmaker Cheung said it would make sense to have the HKMA regulate TransUnion and similar service providers.

“The authority and the Office of the Privacy Commissioner should work out a regulatory regime for it,” he said.

Privacy commissioner Stephen Wong Kai-yi said his office was looking into the company’s security issue, with initial findings showing TransUnion should have done better in designing the process for authenticating personal data.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said security was “very loose” after trying to log in to his own account on TransUnion’s website.

“The company should deploy two-factor verification, which is a security process that involves two different layers of authentication, because there is a lot of important personal data involved here and much of that data is easily obtained in the public domain,” he said.

Source: South China Morning Post