Credit bureau TransUnion urged to tighten online security after local newspaper says it easily obtained data on Hong Kong Chief Executive Carrie Lam and Financial Secretary Paul Chan
- Reporters say they were able to bypass checks using identity card numbers and publicly available information
- Firm, which has records of 5.4 million people in city, denies cyber breach, saying data was fraudulently accessed
Hong Kong’s Monetary Authority and privacy watchdog have called on major international credit bureau TransUnion to improve its online authentication procedures after a local newspaper claimed it could easily access the personal credit files of public figures in the city, including Chief Executive Carrie Lam Cheng Yuet-ngor and Financial Secretary Paul Chan Mo-po.
According to its website, TransUnion maintains credit records on 5.4 million consumers in the city and 500 million consumers and businesses worldwide.
Privacy Commissioner for Personal Data Stephen Wong Kai-yi contacted the local branch of the Chicago-based agency after learning about the incident, which the watchdog said might be related to security loopholes involving the procedure for obtaining credit reports, a commission spokesman said on Wednesday.
The commissioner’s office had launched a compliance check and helped the company to take immediate remedial action to minimise any possible damage, he said. The watchdog also urged TransUnion and other financial institutions concerned in the case to halt the problematic credit file subscription procedure.
The credit bureau had contacted the authorities after Chinese-language newspaper Ming Pao reported that it was able to easily obtain credit reports for a number of public figures. It also sought to reassure its clients with a message on the homepage emphasising its “focus on data security across the company”.
“Threats are monitored and evaluated to ensure internal controls are adjusted as needed to remain effective in a rapidly changing threat environment,” the notice said.
In an article on Wednesday night, the newspaper said it had conducted a test on the TransUnion online credit report subscription service that showed the required identity check could be bypassed simply by inputting the identity card numbers and publicly available personal information of certain well-known Hongkongers and answering a few simple questions.
Reporters were then able to access the public figures’ credit scores, telephone numbers, addresses and overdue payments.
A detailed report on Thursday revealed that the city’s chief executive and financial secretary were among those whose data had been obtained.
Ming Pao’s editorial department issued a statement alongside Thursday’s report, stressing it had not obtained any information by fraudulent means.
“During the investigative process we only tried to enter the system manually, to test for loopholes,” the statement read.
“We did not use fraudulent means to obtain the information, and there was no misuse.”
All information obtained had also been destroyed on Thursday after the report was written, it added.
Privacy Commissioner for Personal Data Stephen Wong Kai-yi said there were exemptions under the Personal Data (Privacy) Ordinance.
For instance, if the information was obtained to prevent or investigate crimes, or when the information was used for news reporting with public interest.
Wong also said his office would take follow-up measures, such as launching an investigation or issuing warnings.
TransUnion said on its website that its credit reports contained mainly personal data, repayment records for credit accounts, details of credit applications, including credit cards, personal loans and mortgages, details of other credit inquiries, relevant public records and credit scores.
A TransUnion spokeswoman said it had immediately begun an internal review after being contacted by local media about the issue earlier this week.
“Our preliminary findings indicate that the reporter accessed consumer information for a very limited number of Hong Kong consumers [the public figures involved] in violation of Hong Kong data privacy law. We have contacted law enforcement to further investigate this matter,” the spokeswoman said.
She added that the incident was not a cyber breach but a misuse of consumer data to fraudulently access consumer credit files.
The spokeswoman said the company had layered security measures in place to authenticate consumers seeking to access their data. It had taken immediate action to validate its anti-fraud controls in a response to the incident.
The Monetary Authority said on Wednesday that the credit information service provided by TransUnion was not under its regulation. It had learned about the situation from TransUnion and the banks.
A spokesman said the authority was told that someone had improperly obtained credit reports of the third parties via the online platforms of TransUnion and other financial intermediaries.
“This improper access might involve the safety of the personal credit information provided to TransUnion by banks. The Monetary Authority has expressed its concern and has requested that TransUnion, through the Association of Banks, conduct a thorough investigation immediately, and strengthen the accreditation process as soon as possible,” he added.
The authority also notified the privacy commission.