image

Cybersecurity

Public interest defence could spare newspaper from legal troubles in TransUnion credit exposé, lawyers say

  • Chicago-based firm reports incident to police, and calls Ming Pao’s actions fraudulent
  • But barrister Albert Luk suggests media outlet will avoid being prosecuted
PUBLISHED : Thursday, 29 November, 2018, 9:39pm
UPDATED : Thursday, 29 November, 2018, 11:03pm

A Hong Kong newspaper that used top officials’ personal information to expose security loopholes in a Chicago-based credit bureau’s online platform may avoid prosecution, if it was done in the public interest, say legal and privacy experts.

According to sources, TransUnion has reported the incident to police, and called the exposé a “misuse of consumer data” to fraudulently access credit reports.

In an article published on Thursday, Chinese-language newspaper Ming Pao said it obtained the credit reports of Hong Kong’s leader, Chief Executive Carrie Lam Cheng Yuet-ngor, and finance secretary Paul Chan Mo-po, from TransUnion.

The newspaper claimed loopholes in the website meant that it could obtain highly sensitive personal information using Lam and Chan’s identity card numbers and age, both of which can be found on publicly available documents.

Ming Pao also claimed to have bypassed simple security questions before obtaining the credit reports, which held sensitive information such as address, credit card and phone numbers, as well as credit records.

In a statement released on Thursday, the credit bureau accused the paper of misusing personal data.

“This was not a cyber breach. Instead, it was misuse of consumer data to fraudulently access consumer credit files,” it said.

The police said its Cyber Security and Technology Crime Bureau was investigating the incident, but did not say if it was looking at the role played by Ming Pao.

TransUnion suspends online services over personal data security flaw

Alongside Thursday’s report, the newspaper’s editorial department issued a statement, and stressed it had not obtained any information by fraudulent means.

“During the investigative process we only tried to enter the system manually, to test for loopholes,” the statement read.

“We did not use fraudulent means to obtain the information, and there was no misuse.”

All information obtained had also been destroyed before 2am on Thursday, it said.

Barrister Albert Luk Wai-hung said Ming Pao was unlikely to be charged under the Personal Data (Privacy) Ordinance, or for accessing a computer with dishonest intent, under the city’s Crimes Ordinance.

“The information they used was not obtained illegally,” Luk said.

If the media outlet had indeed destroyed the credit reports, Luk said it should have complied with the Personal Data (Privacy) Ordinance by handling the personal information in an appropriate manner.

Even if lawsuits were launched against Ming Pao, Luk said it had a strong defence of having acted in the public’s interest.

Speaking on Thursday, Privacy Commissioner for Personal Data Stephen Wong Kai-yi said there were exemptions under the Personal Data (Privacy) Ordinance.

Though he refused to comment directly on the case, Wong said: “If someone had used the information for public interest … and if they meet certain requirements, it may be exempted.”

Such use may include a news report, or the investigation and prevention of crimes, Wong said.

Carrie Lam, Paul Chan’s credit data accessed as newspaper bypasses checks

In deciding whether someone had breached the ordinance, Wong said his office would look into how the personal information was obtained and used.

“The law stipulates that the motive of obtaining the information should be the same as the motive of using it,” Wong said.

If that was not the case, Wong said the data user must first obtain contest.

A government spokeswoman said both the chief executive and financial secretary’s offices had received a letter from TransUnion, but did not say if further action would be taken.