Consumer credit reporting agency TransUnion had a serious security flaw in its online system that allowed outsiders to gain easy access to personal data, a media report revealed last week.
The platform holds the credit information of more than 5 million people in Hong Kong. Usually when someone applies for mortgage or credit card, most of the information will be stored into the database of TransUnion to be used as a reference by banks, credit card firms and third parties.
A local newspaper claimed that it was able to easily obtain credit reports of some prominent Hong Kong figures from the TransUnion website after filling in the ID number and answering three simple questions.
The personal data contains information such as an individual’s credit rating, address, telephone number, credit card balances, mortgage loans details, etc.
The authentication process is sloppy, since most of the questions are multiple choices and ID number and other personal data can often be obtained from government registry services.
This kind of loophole can be easily exploited by dubious lenders seeking business, or even by criminals.
The Hong Kong Monetary Authority (HKMA) and the Office of the Privacy Commissioner have called on TransUnion to immediately upgrade its security system.
It’s obvious that TransUnion has not done enough on the aspect of Know Your Customer (KYC).
Ironically, TransUnion said at the beginning of the year that it was considering joining a fintech project called Know Your Client Utility (KYCU) of the HKMA.
The credit reporting agency might as well first run a comprehensive review of its existing systems before taking up new initiatives.
This article appeared in the Hong Kong Economic Journal on Dec 5
Translation by Julie Zhu
[Chinese version 中文版]
– Contact us at [email protected]