Hong Kong has no plan to regulate credit reference agencies, official says – despite TransUnion security flaw that allowed easy access to personal data of millions

  • Personal information is already regulated by data privacy law, senior financial official says, sparking anger from lawmakers
  • Government is ‘shirking responsibility’ on issue, legislators say
PUBLISHED : Monday, 07 January, 2019, 7:52pm
UPDATED : Monday, 07 January, 2019, 11:04pm

Hong Kong has no plans to regulate credit reference agencies despite the recent exposure of a security flaw at a US-based firm that allowed access to the personal data of 5.4 million local consumers, a senior financial official revealed.

The comment drew fierce criticism at a Legislative Council financial affairs panel meeting on Monday because no official body regulated such consumer credit information service providers, a situation lawmakers said could put residents’ personal data safety in jeopardy.

IT sector lawmaker Charles Mok asked if the government would consider studying whether the Hong Kong Monetary Authority or other government departments should regulate such institutions.

“We have no plan to impose any financial regulation at this moment,” replied Chris Sun Yuk-han, deputy secretary for financial services and the treasury.

He said personal information was already regulated by the data privacy law.

Last November, a local newspaper said it easily accessed credit reports of a number of high-profile figures including the city’s leader and finance minister from the Hong Kong arm of TransUnion, which has operated in the city for more than 35 years.

Credit agency TransUnion forced to halt online services over security flaw

Mok and fellow lawmakers Elizabeth Quat and Dennis Kwok Wing-hang expressed disappointment at Sun’s remarks and said the government was “shirking responsibility”.

The government believed that when it came to regulation it was a case of “so far, so good”, Kwok said of Sun’s reply.

“Such an attitude to protect consumers’ personal information nowadays is extremely outdated. It is very inappropriate and wrong if you look at the global trend,” Kwok said.

Quat said there was a big regulatory loophole. Although the monetary authority strictly regulated banks, TransUnion got clients’ personal data from the lenders but was out of regulatory reach. She was also concerned about the business partners TransUnion shared clients’ information with.

The company admitted it transferred clients’ personal data to partners, but said it was only with customers’ consent.

“How do you make sure these people who gave their consent are who they claim to be?” Quat asked. “TransUnion failed to guarantee that. Its partners too. What kind of guarantee do Hongkongers have for the security of their personal data in this situation? ”

Time to get serious about cybersecurity

A motion Mok moved urging the government to study the regulation of credit reference agencies to better protect consumers’ personal information was passed unanimously.

The TransUnion incident raised concerns about the simple authentication procedures of its platform and it was forced to suspend its online services, which affected 130,000 customers.

The company said an independent third party was reviewing its security and would have a report ready in three to four weeks. Online services would not resume until the report was complete and security issues addressed, it said.

Neona Wang, TransUnion’s Hong Kong CEO, apologised for the first time to the public and the three officials whose credit reports were retrieved.

However, the company refused to recognise the incident as a data leak.

“It was a focused and intentional incursion,” TransUnion said in a paper submitted to Legco.

Privacy chief hits back at predecessor over Cathay data leak remarks

It has also enhanced security measures such as implementing a two-factor authentication for account login.

Privacy Commissioner Stephen Wong Kai-yi said the watchdog might consider publishing the report on its investigation into the incident later. He said he would make recommendations on amending the privacy ordinance after the report was done.

He also said the punishment for contravening the ordinance – a maximum fine of HK$50,000 and imprisonment for two years – seemed light.

“It might not have a deterrent effect for a company,” Wong said, adding that public, media, government and Legco attention on an incident might be more effective than a fine for a company.

The timing of the incident is awkward for TransUnion as it vies for a fintech contract from the Hong Kong Association of Banks.

HK$2.2 billion and counting: the price of lax cybersecurity

The Post previously reported that TransUnion was competing with an IBM-led consortium to become the sole manager of a major new service for banks in Hong Kong.

The association on Monday reiterated that customer data protection was the top priority for banks in Hong Kong and that it was open to any suggestions that would help enhance customer data security.

TransUnion compiles credit reports after obtaining consumer data from around 70 banks and money lenders, and then uses the information to evaluate customers’ financial health.

Separately, Arthur Yuen Kwok-hang, deputy chief executive of the monetary authority, told the meeting that the government had been studying whether it could introduce other credit report providers.

“But it’s not just about numbers,” Yuen said, noting that more providers might mean more risks on data security.