THE security of the online service of TransUnion, who holds the credit information of over five million people in Hong Kong, was found to contain major flaws. TransUnion submitted a report to the Hong Kong Association of Banks (HKAB) six months after the flaws were exposed. However, the report was written in a slipshod manner and has been rejected by the HKAB. TransUnion's majority shareholder is a US‑based company. It is the sole consumer credit information service agency in Hong Kong. Since it holds the most sensitive financial information of Hong Kong citizens, it is obliged to strengthen privacy protection. However, TransUnion has failed to put forth any method to plug the security loopholes and reopen its online credit report service. What is even more shocking is that the report does not make a comment or draw a conclusion regarding the overall security situation. The government should strengthen its regulation of TransUnion and introduce competitors to prevent monopolies in the market.
Last year this newspaper identified a serious flaw in TransUnion's online procedures for obtaining data. A client whose identity was not ascertained could easily obtain personal credit data online. The security measures in place were unsophisticated and ridiculous. After the loopholes came to light, TransUnion suspended its online credit report service and apologised to the public at the Legislative Council.
In the investigation report submitted to the HKAB, TransUnion confirms that the risks of some of its online login procedures are "critical" and "high". However, it does not suggest any way to close the security loopholes. What is more shocking is that the report does not make a comment or draw a conclusion regarding the security measures and the overall security situation of TransUnion's online credit report service. A ridiculous error is also found in the report. An item for evaluation falls into different risk classifications in different chapters. Given the sloppiness and carelessness of the report, it is inevitable that the public is doubtful about TransUnion's intention to tackle its security loopholes.
The HKAB has rejected TransUnion's report, criticising it for being incomplete and having discrepancies. TransUnion has been asked to revise the report and provide a "full and professional" independent review. The crux of the matter is that TransUnion is not under the supervision of the Hong Kong Monetary Authority or the HKAB. The latter has made a number of requests to TransUnion, including enhancing the safety of its online system, improving the monitoring processes, and appointing an independent third party to assess the effectiveness of its remedial measures, etc. However, TransUnion may very well turn a deaf ear to these requests. Since it is the sole company that provides such kind of service in Hong Kong, the banks have to rely on it sometimes for credit information to make decisions on whether they should lend money to certain clients. In a monopolised market, there is nothing the bank can do if TransUnion deliberately thwarts the requests of the HKAB and does not cooperate.
Hong Kong is an international financial centre and TransUnion holds a large amount of sensitive credit and financial information of Hong Kong. The government should not regard the company simply as an average commercial entity. If the online security problems of TransUnion are not resolved properly soon, the government should intervene by exploring ways to strengthen supervision of the company. The government has the responsibility to ensure that sensitive financial information of Hong Kong residents will not fall into the hands of other people. All practical measures, including introducing competition into the market, should be considered to end the monopoly of an American‑based company on the personal credit information of Hong Kong.
