Cyber security you wouldn't credit

Editorial | Mary Ma 30 Nov 2018

There have been reports of cyber security breaches from time to time and, in the latest incident, Hong Kong's sole credit rating agency - TransUnion - was found to have been lax in this regard.

It was reported that a local newspaper working on an investigative story was able to sign up readily - using information available in the public domain to access the credit reports of Chief Executive Carrie Lam Cheng Yuet-ngor and Financial Secretary Paul Chan Mo-po.

It's a concern every time such an incident occurs.

In one of the more high profile cases reported recently, the Faster Payment System introduced by the Hong Kong Monetary Authority was hacked by scammers, resulting in losses ranging from HK$10,000 to HK$100,000 to the individuals, whose identities were stolen and used by the culprits to sign up to make unlawful transfers from their accounts.

Then, there's the massive data loss by the SAR's flagship carrier, Cathay Pacific, in which millions of the airline's customers had their personal data stolen by hackers. About 1.4 million customers of HSBC in the United States had also fallen victim in a separate incident.

In the digital age, traditional face-to-face customer relationships were replaced by online identification procedures. If the traditional dealings enabled a bank manager, for example, to know his clients in person, this is being replaced by inputting the personal data that, unfortunately, is no longer as secure as expected.

In the TransUnion case, the newspaper got hold of the identity card numbers of Lam and Chan from the Company Registry archives that are open to searches by the public. In the company records are directors' names, identity card or passport numbers, addresses, etc.

It's said that after a few simple steps of keying in the identity numbers, names and date of birth, the newspaper was able to create an account to view the credit reports of the two top officials. If it is increasingly common for financial institutions to text one-time passwords to customers' registered mobile numbers, TransUnion didn't require that - only including the one-time-password security feature after the newspaper contacted it to ask about the cyber loophole.

Apparently, the HKMA has no direct authority over TransUnion, or else it wouldn't have had to ask the credit rating agency through the Association of Banks to beef up its security.

The privacy commissioner said only one complaint about personal credit rating breach was received over the past five years. I wonder if the actual number may be higher since Simon Lee, a senior lecturer at the Chinese University of Hong Kong's business school, for instance, has revealed he had also been blackmailed by fraudsters for ransom in exchange for a higher credit rating.

As Hong Kong aligns to become digital, there are bound to be more incidents of breaches, unless local companies are willing to invest substantially to fortify cyber security. The problem is ours is a rather backward regulatory regime.

The European Union system is stringent, subjecting firms to heavy fines. It's essential the SAR adopts a regulatory regime that suits its aspirations.

Search Archive

Advanced Search
April 2019

Today's Standard

Yearly Magazine

Yearly Magazine