The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG today published an investigation report on the data breach incident of a local newspaper being able to pass through the online authentication procedures of TransUnion Limited (TransUnion) and obtain the credit reports of a number of public figures (the Incident). The Privacy Commissioner found TransUnion contravened the principle under the Personal Data (Privacy) Ordinance (Ordinance) relating to data security in respect of its online authentication procedures in that it failed to take all practicable steps to ensure that the personal data held was protected against unauthorised or accidental access or use.
Major Investigation Findings
At the time of the Incident, online application for and access to credit reports by individuals was available through TransUnion’s website and its five partners’ websites / mobile application.
Data Security – Vulnerabilities in Online Authentication Procedures
The Commissioner found TransUnion contravened Data Protection Principle 4(1) of Schedule 1 to the Ordinance (Data Security) in respect of its online authentication procedures on the grounds that:
(1) an exact match of the full name and date of birth inputted by an individual against the records of TransUnion’s database was not required;
(2) the knowledge-based authentication used (a) questions that asked about the age range and Chinese zodiac sign of the individuals instead of unique dealings with TransUnion, and (b) outdated answers that could be easily screened out;
(3) access through other websites / mobile application was not blocked after an individual failed the authentication procedures on one website / mobile application; and
(4) two-factor authentication was not applied to all applications.
Data Use – Data Display and Transfer of Data to Partners – No Contravention
The Privacy Commissioner considered the use of personal data for identity authentication and display of credit data to the individual was a purpose consistent with the purpose for which the data was collected. The purpose of transferring personal data to three of TransUnion’s partners, on the other hand, did not fall within the original purpose or a directly related purpose for which TransUnion collected the concerned data, and such transfer would therefore call for the individual’s prescribed consent as required under Data Protection Principle 3(1) of Schedule 1 to the Ordinance (Data Use). The Privacy Commissioner went through the application procedures step by step. No contravention of the said Principle was found on such transfers.
The Privacy Commissioner exercised his power pursuant to section 50(1) of the Ordinance to serve an Enforcement Notice on TransUnion directing TransUnion to remedy and prevent any recurrence of the contravention in relation to data security.
Recommendations to TransUnion
The Privacy Commissioner made the following five recommendations to TransUnion:
(1) Devise privacy-friendly default settingTransfer of credit data to TransUnion’s partners should not be a default setting and less privacy-intrusive alternatives should be chosen.
(2) Offer individuals a choice of the types of data to be transferredAn individual may not know the exact extent of data that would be transferred when he is asked to consent to the transfer of credit data from TransUnion to the partners concerned. TransUnion is therefore recommended to list the data and give the individual a choice on the data to be transferred to the partners.
(3) Exercise control over partners which receive personal data from TransUnion
TransUnion is recommended to conduct audit no less than once a year to ensure the level of data protection afforded by the partners is adequate.
(4) Conduct periodic review of online authentication procedures
Periodic reviews with the aim to identifying and fixing loopholes as well as improving the authentication procedures (including assessing the appropriateness of using biometric authentication) in view of technology advancements should be conducted by in-house and / or third party experts.
(5) Allow individuals to access credit reports at a lower cost
The fee charged by TransUnion appeared on the high side compared with that of other jurisdictions, considering the magnitude of the demand, and the comparable fees charged or not charged in other jurisdictions. TransUnion is recommended to review its fee structure and offer individuals an option to obtain a copy of the credit report with no provision of other auxiliary services at a lower fee.
Supervision of Credit Reference Agencies
Mr Stephen Kai-yi WONG, the Privacy Commissioner, said:
“Consumer credit data is very private to the individuals concerned. It is imperative to ensure that there is a proper balance between the privacy rights of individuals in their consumer credit data, and the interest of credit providers and society at large, to maintain both commercial viability and stability in the consumer lending industry.
“As a data user, a credit reference agency is required to comply with the Ordinance and the guidelines under the Code of Practice on Consumer Credit Data (the Code) issued by my office. Having considered all the circumstances of the case and the available information, I suggest some policy questions, inter alia, be canvassed in the future review of the Code which requires public consultation with all stakeholders, including other relevant regulatory authorities. One of the policy questions to ask is whether there should be more than one credit reference agency in Hong Kong, given the demand for such a service and the short of competition in this regard.
“Whilst I remain the regulator for the protection of all personal data including credit data, I take the view that the role of a credit reference agency is an integral feature of our financial market. How it should be effectively regulated may demand further study.
“Public concern has been raised about the centralised credit database being managed by a commercial entity but not regulated by a financial regulator. The fact that TransUnion’s businesses are not regulated by other authorities cannot simply and merely addressed by the Code, or a revised Code.”
The investigation report was published in accordance with section 48(2) of the Ordinance, after having considered that it is in the public interest to do so. It can be downloaded from the image below: