Date
17 October 2019
TransUnion promises to strengthen the security of its computer system during a meeting of the Legislative Council's Panel on Financial Affairs on Monday. Photo: Bloomberg/HKEJ
TransUnion promises to strengthen the security of its computer system during a meeting of the Legislative Council's Panel on Financial Affairs on Monday. Photo: Bloomberg/HKEJ

TransUnion online services suspended until security issues fixed

Consumer credit reporting agency TransUnion said its online services in Hong Kong will remain suspended until an ongoing investigation of security loopholes found in its computer system is completed.

Appearing before the Legislative Council’s Panel on Financial Affairs on Monday, Neona Wang, chief executive of TransUnion’s Hong Kong branch, told lawmakers that it has hired a third party to conduct a thorough review of its security application framework and related implementation, the Hong Kong Economic Journal reports. 

Its online services will remain suspended until the review is completed and all security issues are resolved, Wang said. 

The security loopholes were discovered in November last year, when Ming Pao tried to test TransUnion’s system. 

The newspaper said it was able to obtain the credit files of a number of public figures, including Chief Executive Carrie Lam Cheng Yuet-ngor and Financial Secretary Paul Chan Mo-po, by inputting their information that was available in the public domain. 

The revelation forced TransUnion to suspend its online crediting rating system. 

The company had earlier accused the newspaper of accessing its customer data through fraudulent means and reported the matter to the police, RTHK reported.

Offering apologies to the affected officials and members of the public, Wang told the Legco panel that the company, which keeps credit records on 5.4 million consumers in the city, has been taking measures to improve the security of its online database. 

“We are working on multiple enhancements as of now, which would cover both the enrollment, verifying existing customers as well as when person returns to log in. There’s an enhanced two-factor authentication process,” she said. 

Wang said Ming Pao had someone impersonate government officials and gained unauthorized access to their credit information. 

Responding to the accusation, the newspaper said it had only conducted its probe manually and the data it obtained had all been deleted. 

Some lawmakers said current regulations covering credit reference agencies are not adequate to protect personal data. 

They said credit reference agencies are not monitored by the Hong Kong Monetary Authority (HKMA) because they are not banks, although they are subject to the Personal Data (Privacy) Ordinance. 

Deputy Secretary for Financial Services and the Treasury Chris Sun Yuk-han said TransUnion’s investigation into the incident is only limited to the security of personal data, and does not touch the regulation of the financial market. 

As such, it is not expected to result in changes in the regulation of credit report agencies, Sun said.

Privacy Commissioner for Personal Data Stephen Wong Kai-yi said his office, along with other pertinent government departments, will study whether there is a need to review the Privacy Ordinance in light of the incident, adding that it may ask TransUnion to make public its report on the investigation of the incident as a matter of public interest.

– Contact us at [email protected]

TL/JC/CG