英文

下一篇

Editorial : TransUnion's security vulnerabilities

【明報專訊】TRANSUNION holds the credit information of more than five million people in Hong Kong. A serious flaw has been identified in its procedures for obtaining data, as its system provides a client with personal credit information without ascertaining their identity. The security in place is unsophisticated and ridiculous.

TransUnion is the only consumer credit information service company in Hong Kong. It provides credit information management services and collects comprehensive personal credit records. In 1999, the company was acquired by TransUnion International in the US, with HSBC, Standard Chartered, BEA among its small shareholders. TransUnion's credit database contains the credit information of more than five million Hongkongers, i.e. nearly all adults living in Hong Kong. Anyone who has ever applied for a credit card, a mortgage or a loan is recorded by TransUnion regardless of nationality. When a consumer borrows money from a bank, the bank normally states in the contract that their credit information will be supplied to TransUnion. The bank, when necessary, refers to a credit report by TransUnion to decide whether to lend money to a client. Contained in a credit report is sensitive information such as a consumer's credit rating, account type and outstanding balances.

With a company that stores the credit information of consumers, banks find it easier to evaluate prospective borrowers' finances. Such a company also helps stabilise financial markets. However, as in recent years TransUnion has been actively exploring the market of credit reports accessible to individuals, it has given rise to the issue of privacy. TransUnion's collection, use and storage of personal credit information are governed by the Personal Data (Privacy) Ordinance. In no way could citizens have imagined that TransUnion's system for accessing such reports would be like an open gate. The so-called "identity verification" is haphazard and unsophisticated, so much so it seemingly exists in name only. Theoretically, anyone who knows the identity card number of a person and pays a limited fee can dig up the most sensitive personal information of that person. In today's society, citizens have to supply their identity card numbers on a myriad of occasions. TransUnion's way of safeguarding the system is laughable and irresponsible, and citizens can hardly put their worries to rest.

TransUnion International is headquartered in Chicago with businesses around the world. It has long cooperated with US government departments at all levels. Its government advisory board has an assemblage of the best people, including ex-officials of the federal government, experts in homeland security affairs and people with a background in the Department of Defense or the CIA. It is hard to imagine that TransUnion, as a subsidiary of TransUnion International, can do such a poor job of information security. TransUnion's security vulnerabilities affect every Hongkonger, as they allow fraudsters to use such information to take out a loan by pretending to be someone else, or defraud others of their money by telling them that they have to pay to improve their personal credit ratings. TransUnion does not take the initiative to inform a client who has viewed their personal information. As the public interest is paramount and is of overriding importance, the media has the responsibility to expose the problem.

TransUnion has suspended the service for online access to credit reports. This is just a stopgap measure. It is necessary for the government to ensure that TransUnion's loopholes are closed and strengthen the security of personal information. In the long run, it should consider introducing competition as some foreign countries have done to prevent a monopoly of the service.

明報社評2018.11.30:港人信貸私隱不設防 政府監管把關漏洞大

擁有本港逾500萬人信貸資料的環聯資訊(下稱環聯),索閱資料程序出現嚴重漏洞,未有認清客戶身分便提供個人信貸資料,保安粗疏兒戲。

環聯資訊(TransUnion)是香港唯一的消費者信貸資料服務機構,提供信貸資料管理服務,蒐集個人信貸綜合紀錄,1999年由美國環聯國際公司(下稱美國環聯)收購,匯豐、渣打、東亞等銀行是環聯小股東。環聯的信貸資料庫,擁有本港逾500萬人的借貸資料,差不多所有居港成年人,只要在港申請過信用卡或按揭、借貸,不論國籍,環聯都有紀錄。消費者向銀行借錢,銀行一般會在合約列明個人信貸資料會提供給環聯,日後銀行有需要時會根據環聯的信貸報告,決定是否借錢給客戶。信貸報告內容會詳列消費者信貸評分、帳戶種類、逾期金額等敏感資料。

消費者信貸資料機構的存在,方便銀行評核借款人財政狀况,有助金融市場穩定,不過隨着近年環聯積極開拓個人索閱信貸報告的市場,私隱問題亦告浮現。環聯對個人信貸資料的蒐集、使用和保管,都受私隱條例規管,市民從來沒有想過,環聯的網上索閱報告系統近乎「中門大開」,所謂「身分核證」馬虎粗疏,形同虛設。理論上,任何人只需知道某人身分證號碼,繳付有限費用,就可以「起底」取得其最敏感的私隱資料。現今社會要市民提供身分證號碼的場合比比皆是,環聯把關太過兒戲,不負責任,市民豈能安枕。

美國環聯總部在芝加哥,業務遍及多地,跟美國各級政府部門素有合作,美國環聯的政府顧問委員會精英雲集,既有聯邦政府前高官、國土安全事務專家,還有國防部及中情局背景人士,很難想像環聯資訊作為美國環聯旗下一員,資料保安工作竟會如此不濟。環聯的保安漏洞影響全港市民,騙徒可以利用有關資料冒認他人借貸,又或詐騙市民付款改善個人信貸評級,環聯也不會主動告訴當事人有誰查閱過其個人資料。重大公眾利益具有凌駕性,傳媒有責任揭露問題。

環聯叫停網上索閱報告服務,僅屬即時「止血」,政府有必要確保環聯堵塞漏洞,加強個人私隱資料保安,長遠更應該借鑑外國經驗,考慮引入競爭,避免獨市經營情况。

■Glossary

assemblage : a collection of things; a group of people

overriding : more important than anything else in a particular situation

stopgap : something that you use or do for a short time while you are looking for sth better

上 / 下一篇新聞