Editorial : TransUnion's security vulnerabilities

【明報專訊】TRANSUNION holds the credit information of more than five million people in Hong Kong. A serious flaw has been identified in its procedures for obtaining data, as its system provides a client with personal credit information without ascertaining their identity. The security in place is unsophisticated and ridiculous.

TransUnion is the only consumer credit information service company in Hong Kong. It provides credit information management services and collects comprehensive personal credit records. In 1999, the company was acquired by TransUnion International in the US, with HSBC, Standard Chartered, BEA among its small shareholders. TransUnion's credit database contains the credit information of more than five million Hongkongers, i.e. nearly all adults living in Hong Kong. Anyone who has ever applied for a credit card, a mortgage or a loan is recorded by TransUnion regardless of nationality. When a consumer borrows money from a bank, the bank normally states in the contract that their credit information will be supplied to TransUnion. The bank, when necessary, refers to a credit report by TransUnion to decide whether to lend money to a client. Contained in a credit report is sensitive information such as a consumer's credit rating, account type and outstanding balances.

With a company that stores the credit information of consumers, banks find it easier to evaluate prospective borrowers' finances. Such a company also helps stabilise financial markets. However, as in recent years TransUnion has been actively exploring the market of credit reports accessible to individuals, it has given rise to the issue of privacy. TransUnion's collection, use and storage of personal credit information are governed by the Personal Data (Privacy) Ordinance. In no way could citizens have imagined that TransUnion's system for accessing such reports would be like an open gate. The so-called "identity verification" is haphazard and unsophisticated, so much so it seemingly exists in name only. Theoretically, anyone who knows the identity card number of a person and pays a limited fee can dig up the most sensitive personal information of that person. In today's society, citizens have to supply their identity card numbers on a myriad of occasions. TransUnion's way of safeguarding the system is laughable and irresponsible, and citizens can hardly put their worries to rest.

TransUnion International is headquartered in Chicago with businesses around the world. It has long cooperated with US government departments at all levels. Its government advisory board has an assemblage of the best people, including ex-officials of the federal government, experts in homeland security affairs and people with a background in the Department of Defense or the CIA. It is hard to imagine that TransUnion, as a subsidiary of TransUnion International, can do such a poor job of information security. TransUnion's security vulnerabilities affect every Hongkonger, as they allow fraudsters to use such information to take out a loan by pretending to be someone else, or defraud others of their money by telling them that they have to pay to improve their personal credit ratings. TransUnion does not take the initiative to inform a client who has viewed their personal information. As the public interest is paramount and is of overriding importance, the media has the responsibility to expose the problem.

TransUnion has suspended the service for online access to credit reports. This is just a stopgap measure. It is necessary for the government to ensure that TransUnion's loopholes are closed and strengthen the security of personal information. In the long run, it should consider introducing competition as some foreign countries have done to prevent a monopoly of the service.

明報社評2018.11.30:港人信貸私隱不設防 政府監管把關漏洞大







assemblage : a collection of things; a group of people

overriding : more important than anything else in a particular situation

stopgap : something that you use or do for a short time while you are looking for sth better

上 / 下一篇新聞