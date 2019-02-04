Last year this newspaper identified a serious flaw in TransUnion's online procedures for obtaining data. A client whose identity was not ascertained could easily obtain personal credit data online. The security measures in place were unsophisticated and ridiculous. After the loopholes came to light, TransUnion suspended its online credit report service and apologised to the public at the Legislative Council.

In the investigation report submitted to the HKAB, TransUnion confirms that the risks of some of its online login procedures are "critical" and "high". However, it does not suggest any way to close the security loopholes. What is more shocking is that the report does not make a comment or draw a conclusion regarding the security measures and the overall security situation of TransUnion's online credit report service. A ridiculous error is also found in the report. An item for evaluation falls into different risk classifications in different chapters. Given the sloppiness and carelessness of the report, it is inevitable that the public is doubtful about TransUnion's intention to tackle its security loopholes.

The HKAB has rejected TransUnion's report, criticising it for being incomplete and having discrepancies. TransUnion has been asked to revise the report and provide a "full and professional" independent review. The crux of the matter is that TransUnion is not under the supervision of the Hong Kong Monetary Authority or the HKAB. The latter has made a number of requests to TransUnion, including enhancing the safety of its online system, improving the monitoring processes, and appointing an independent third party to assess the effectiveness of its remedial measures, etc. However, TransUnion may very well turn a deaf ear to these requests. Since it is the sole company that provides such kind of service in Hong Kong, the banks have to rely on it sometimes for credit information to make decisions on whether they should lend money to certain clients. In a monopolised market, there is nothing the bank can do if TransUnion deliberately thwarts the requests of the HKAB and does not cooperate.

Hong Kong is an international financial centre and TransUnion holds a large amount of sensitive credit and financial information of Hong Kong. The government should not regard the company simply as an average commercial entity. If the online security problems of TransUnion are not resolved properly soon, the government should intervene by exploring ways to strengthen supervision of the company. The government has the responsibility to ensure that sensitive financial information of Hong Kong residents will not fall into the hands of other people. All practical measures, including introducing competition into the market, should be considered to end the monopoly of an American‑based company on the personal credit information of Hong Kong.

明報社評2019.05.23：環聯掌全港信貸資料 保安疏漏半年未堵塞

擁有本港逾500萬人信貸資料的環聯資訊（下稱環聯），網上保安被揭重大漏洞。事隔近半年，環聯向銀行公會提交報告，惟因內容粗疏錯漏，遭公會「打回頭」。環聯大股東為美資公司，是本港唯一消費者信貸資料服務機構，手握香港市民最敏感的財務資料，有責任加強私隱保護，然而環聯遲遲未有提出堵塞保安漏洞方法，恢復網上查閱服務，報告未就整體保安情况提出任何意見或下結論，更叫外界驚訝。當局有必要加強監管，同時引入競爭者，打破市場壟斷。

本報去年發現，環聯網上索閱資料程序出現嚴重漏洞，未有認清客戶身分便提供個人信貸資料，保安粗疏兒戲。事件曝光後，環聯暫停了網上查閱服務，並在立法會向公眾致歉。

環聯向銀行公會提交的調查報告，證實部分網上登入環節存在嚴重（Critical）及高（High）風險。然而環聯的報告，並未提出確切可行的堵塞保安漏洞方法；叫人更感驚訝的是，報告對於網上查閱系統的保安措施及整體保安情况，竟然沒有提出任何意見或下結論，內容還出現離譜錯誤，同一評估項目在不同章節被歸類為不同風險級別。調查報告如此馬虎粗疏，難免令人質疑環聯方面是否有心處理保安漏洞。

銀行公會批評報告不完整不一致，拒絕「收貨」，要求環聯重新修訂，提交「專業且全面」的獨立評估報告，問題是環聯不受金管局或銀行公會監管。公會向環聯提出多項要求，包括加強網絡系統安全、改善監控流程、委託獨立第三方機構評估保安新措施成效等，理論上環聯可以當作「耳邊風」。由於環聯的業務在港「只此一家」，銀行決定是否借錢給客戶，有時仍得靠環聯提供信貸資料，在這樣的壟斷市場環境，倘若環聯存心撒賴不合作，銀行界亦無可奈何。

香港是國際金融中心，環聯手握本港大量敏感信貸財政資料，政府不能簡單視之為一般商業機構。倘若環聯網絡保安問題遲遲沒有得到妥善解決，政府便應該介入，研究加強監管辦法。政府有責任確保本港居民敏感財政資料不會輕易落入他人手中，當局應考慮各種可行措施，包括引入市場競爭對手，打破由一間美資公司壟斷全港個人信貸資料的局面。

■Glossary

come to light : to become known to people

sloppiness : the fact of showing a lack of care, thought or effort

thwart sb/sth : to prevent sb from doing what they want to do or stop sth from happening