Security loopholes found in the online portal of consumer credit reporting company TransUnion have allowed reporters to illegally access private information belonging to Chief Executive Carrie Lam and Financial Secretary Paul Chan.
Ming Pao journalists were able to obtain credit reports for Lam and Chan by inputting their identity card numbers, publicly available information and answering some simple questions, the paper reported on Thursday.
By Thursday evening, TransUnion had temporarily suspended all online services for retrieving credit reports in Hong Kong.
TransUnion, an international firm founded in 1982, has around 5.4 million customers in Hong Kong and is the city’s leading consumer credit reporting company.
TransUnion said on Thursday, without directly referring to Ming Pao, that only a handful of consumer credit reports were accessed. The firm added that the reports were accessed illegally, and has contacted law enforcement for further investigation.
In response, Ming Pao’s editorial department issued a statement saying that it only tried to access TransUnion’s system through manual attempts to test for loopholes. The newspaper denied any element of fraud or misuse in obtaining the reports.
“All information gathered was for the purposes of reporting only. After the report was complete, all personal information was destroyed at 2am [on Thursday],” the statement added.
The Privacy Commissioner for Personal Data expressed concern over the incident, and said it will conduct a compliance check. The Privacy Commissioner added that it had conducted its own preliminary testing and had found security flaws.
“Regarding the application procedures for credit reports in TransUnion’s website, the design of the multiple-choice answers to the authentication questions poses security risks,” the PCPD said in a statement.
The Hong Kong Monetary Authority also expressed concern and asked TransUnion to fully investigate the incident.
TransUnion’s online service required personal information – name, ID card number, date of birth and phone number – for authentication. However, aside from the ID card number, Ming Pao reported being able to bypass this stage just by inputting random information.
The second stage of the online service had three multiple-choice questions. It asked the person’s age, which bank’s credit card they owned, and the four final digits of their credit card number. For the last question, Ming Pao said it was able to answer correctly by clicking “none of the above.”
The reporter was then able to access Lam’s credit record, past and present addresses and phone number.
Responsibility to protect data
A spokesperson for the Chief Executive’s Office said Lam had received a letter from TransUnion stating that the company has taken remedial measures.
“As TransUnion holds a massive amount of the public’s personal data, it has the responsibility to protect such data with effective security measures. If there are any loopholes in the system, TransUnion must take immediate remedial actions to protect the rights of the public,” the spokesperson added.
Information Technology sector lawmaker Charles Mok called the incident a “major mistake” for TransUnion, and noted that the company did not fall under the regulatory framework of the Monetary Authority.
“The incident highlighted the fact that financial data – which users care about deeply – is not directly regulated by the Monetary Authority… What extent can [TransUnion] be regulated?” he said.
Mok said he has written to the legislature’s Panel for Financial Affairs to ask for a follow-up meeting with relevant parties.