“I’m of the opinion that Softmedia has contravened the relevant requirement of the Personal Data (Privacy) Ordinance,” she said. “In particular, Softmedia has failed to take all practicable steps to protect the personal data in the credit reference system against unauthorised or accidental access, processing or use.”

Chung said a notice was sent to Softmedia demanding it establish policies and measures in the next three months to ensure money lending companies had received authorisation from borrowers before accessing their data, as well as reviewing and limiting the number of access to the database by each money lender.

“Any violation of the enforcement notice will be deemed as a criminal act, which means we can consider initiating criminal prosecution according to the situation,” she said.

The penalty upon the first conviction is a HK$50,000 fine (US$6,380) and two-year imprisonment.

The Post has reached out to Softmedia for comment.

The company claims on its website the TE Credit Reference System is the largest database of its kind in Hong Kong. But Chung said the database was not one of the service providers under the Multiple Credit Reference Agencies Model, meaning it was not regulated by the industry’s associations or laws covering the financial industry.

Between 2021 and March 2023, Softmedia received 66 complaints of credit data being retrieved by unidentified money lenders, 59 of which were substantiated, according to Chung.

“If they continue to have a credit reference system like this in operation without any regulation or without any code of practice in place, I do believe that is detrimental to the industry as a whole because borrowers will be hesitant to approach money lenders,” she said.

Cyberattack exposes data of 1.2 million guests of Harbour Plaza hotels in Hong Kong

It was discovered that Softmedia allowed “unlimited access” to the credit reference system at “a very low” fee without ensuring that consent had been obtained from the borrowers.

“When the money lender pays HK$2, it will be provided unlimited access to the credit reference system for five days,” she said. “It is regrettable that Softmedia did not regularly monitor or supervise money lenders’ access to or use of the credit reference system.”

Chung said the information was usually stored in the database upon the money borrowers’ approval but it was unknown whether the complainants had agreed to do so.

“The money lenders might want to see if the individuals wished to borrow money so they headed to the system to acquire the credit data,” she said. “They might then call the individuals and ask them if they are interested in borrowing money and promote their offers.”

The commissioner’s office also said Softmedia had failed to adopt a robust password system or ask money lenders to change the code from time to time, which might have allowed staff who had left the lending companies to access the system using old ones.

The data firm had also retained over 50,000 credit records of borrowers who had completed their repayments more than five years ago, which was equivalent to “unnecessary and prolonged retention”.

Risk of ChatGPT personal data leaks to be monitored: Hong Kong’s privacy watchdog

Chung said the firm violated another data protection principle of the privacy ordinance and would expose personal information to risk of a data breach.

She urged borrowers to be cautious when asked to sign any documents, and advised borrowers to ask money lenders how their information was being handled and whether it would be uploaded to credit databases.

She said her office would consider examining other credit reference systems for similar possible violations.

Key industry players said they had not heard of the TE Credit Reference System.

Terence Chau, the director of financial risk and regulatory compliance technology company Austreme, explained such databases were useful when money lenders wanted to assess a borrowers’ credit rating, but the TE Credit Reference System was unknown to him.

He warned borrowers might find it difficult to ensure they were protected from unauthorised use of their credit data.

“If you are borrowing money, it is very unlikely you will hire a lawyer to check every word in the documents,” he said. “Even if you discover something, you will not have the power to negotiate with the lenders on changing the terms.”

Chau suggested residents wanting to borrow the money use well established companies with good reputations, as they were more likely to offer data protection.

The government could also amend the laws to require lenders to clearly inform borrowers if their credit data would be uploaded to databases.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said borrowers could be deeply inconvenienced if other lenders obtained their personal data for promotional purposes without their consent.

“As even after five years of making the repayment, your credit information may still be stored in the database, and you may be able to receive cold calls from money lenders for the rest of your life,” he said.

Fong suggested people set up a separate phone number and email address for borrowing money or receiving other promotions.