Skip to content

Media Statements

Media Statement - Privacy Commissioner Receives Credit Data Breach Notification

Date: 28 November 2018

Privacy Commissioner Receives Credit Data Breach Notification

The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG received a data breach notification from TransUnion Limited (TransUnion) in respect of suspected security loopholes in the application procedures for credit reports. The Privacy Commissioner has contacted TransUnion and initiated a compliance check to find out the facts and assist TransUnion to take immediate remedial actions in order to mitigate any possible losses.
 
The office of the Privacy Commissioner for Personal Data (PCPD) learnt that TransUnion had enhanced its security measures immediately, including freezing the online accounts concerned, notifying the affected individuals and applying One Time Password (OTP) authentication. The PCPD appeals to TransUnion and credit agencies or intermediaries to stop the application procedures in question, plug the suspected security loopholes, strengthen the authentication procedures (e.g. multiple authentication, enhanced security questions, etc.) and inform the affected individuals once they are identified.
 
After conducting a preliminary test on the possible security issues, the PCPD has the following preliminary observations:
  • Regarding the application procedures for credit reports in TransUnion’s website, the design of the multiple-choice answers to the authentication questions poses security risks.
  • In the provision of credit report services, the websites of some credit agencies or intermediaries provide links to TransUnion’s website and requesters likewiseneed to answer the authentication questions that pose security risks.
  • Some credit agencies or intermediaries claim that they can provide free “TransUnion credit reports” and clearly show the word “TransUnion” on their websites/applications. To obtain credit reports, requesters can simply provide two sets of personal data, which can be obtained in the public domain, even though they fail to answer any other authentication questions.
If members of the public find any irregularities in their personal accounts of financial institutions or credit card accounts, they should immediately contact the financial institutions, law enforcement agencies or licensing authorities for follow-up actions. Nobody should make use of others’ personal data to obtain credit reports by illegal means or without others’ consent.
 
-End-