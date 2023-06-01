Hong Kong’s privacy watchdog has threatened to take legal action against a data management firm for failing to protect the credit histories of about 180,000 people from unauthorised access. The Office of the Privacy Commissioner for Personal Data on Thursday said it received a complaint in December 2021 from an individual who found his credit data stored in a database called TE Credit Reference System had been accessed by eight money lending companies without his consent. Commissioner Ada Chung Lai-ling said the database’s operator Softmedia Technology Company had failed to take sufficient measures to protect the information it stored, which might have allowed users from about 680 money lending companies to access the credit data of roughly 180,000 people. “I’m of the opinion that Softmedia has contravened the relevant requirement of the Personal Data (Privacy) Ordinance,” she said. “In particular, Softmedia has failed to take all practicable steps to protect the personal data in the credit reference system against unauthorised or accidental access, processing or use.” Chung said a notice was sent to Softmedia demanding it establish policies and measures in the next three months to ensure money lending companies had received authorisation from borrowers before accessing their data, as well as reviewing and limiting the number of access to the database by each money lender. “Any violation of the enforcement notice will be deemed as a criminal act, which means we can consider initiating criminal prosecution according to the situation,” she said. The penalty upon the first conviction is a HK$50,000 fine (US$6,380) and two-year imprisonment. The Post has reached out to Softmedia for comment. The company claims on its website the TE Credit Reference System is the largest database of its kind in Hong Kong. But Chung said the database was not one of the service providers under the Multiple Credit Reference Agencies Model, meaning it was not regulated by the industry’s associations or laws covering the financial industry. Between 2021 and March 2023, Softmedia received 66 complaints of credit data being retrieved by unidentified money lenders, 59 of which were substantiated, according to Chung. “If they continue to have a credit reference system like this in operation without any regulation or without any code of practice in place, I do believe that is detrimental to the industry as a whole because borrowers will be hesitant to approach money lenders,” she said. Cyberattack exposes data of 1.2 million guests of Harbour Plaza hotels in Hong Kong It was discovered that Softmedia allowed “unlimited access” to the credit reference system at “a very low” fee without ensuring that consent had been obtained from the borrowers. “When the money lender pays HK$2, it will be provided unlimited access to the credit reference system for five days,” she said. “It is regrettable that Softmedia did not regularly monitor or supervise money lenders’ access to or use of the credit reference system.” Chung said the information was usually stored in the database upon the money borrowers’ approval but it was unknown whether the complainants had agreed to do so. “The money lenders might want to see if the individuals wished to borrow money so they headed to the system to acquire the credit data,” she said. “They may then call the individuals and ask them if they are interested in borrowing money and promote their offers.” The commissioner’s office also said Softmedia had failed to adopt a robust password system or ask money lenders to change the code, which might allow staff who had left the lending companies to access the system using old ones. The data firm had also retained over 50,000 credit records of borrowers who had completed their repayments more than five years ago, which was equivalent to “unnecessary and prolonged retention”. Risk of ChatGPT personal data leaks to be monitored: Hong Kong’s privacy watchdog Chung said the firm violated another data protection principle of the privacy ordinance and would expose personal information to risk of a data breach. She urged borrowers to be cautious when asked to sign any documents, and advised borrowers to ask money lenders how their information was being handled and whether it would be uploaded to credit databases. She said her office would consider examining other credit reference systems for similar possible violations.