Unauthorised Access to Credit Data in the TE Credit Reference System

Investigation Report

Published under Section 48(2) of the Personal Data (Privacy) Ordinance
(Chapter 486, Laws of Hong Kong)

Unauthorised Access to Credit Data in the TE Credit Reference System

Executive Summary

Background

1. The Office of the Privacy Commissioner for Personal Data ("PCPD") received a complaint lodged by a member of the public. The complaint was related to the TE Credit Reference System.
2. The TE Credit Reference System was developed and operated by Softmedia Technology Company Limited ("Softmedia").

Investigation Case

3. The complainant had been obtaining loans from a number of money lending companies. On 28 December 2021, the complainant was informed by one of these companies that his credit records in the TE Credit Reference System had been accessed by several other money lending companies and he was asked whether he had recently encountered severe financial difficulties.
4. The complainant stated that he was not aware of these money lending companies and had never applied for any loan from them. The complainant queried how they had obtained his authorisation to access the TE Credit Reference System. He was worried that the TE Credit Reference System's security measures were inadequate in protecting his personal data so that the money lending companies were able to access his credit data without his consent. The complainant therefore lodged his complaint with the PCPD.

Investigation by the Commissioner

5. After making preliminary inquiries, the Privacy Commissioner for Personal Data (the "Commissioner"), in accordance with Section 38(a)(i) of the Personal Data (Privacy) Ordinance (the "Ordinance"), commenced an investigation regarding the subject complaint into the TE Credit Reference System operated by Softmedia.
6. During the investigation, the Commissioner wrote to Softmedia on six occasions and received written replies and relevant documents from them. PCPD staff had also visited Softmedia's Kowloon Bay office, made inquiries with the representatives of Softmedia and obtained information pertinent to the case from the company.
7. The Commissioner noted that Softmedia was not one of the credit reference agencies^[1] shortlisted by the Hong Kong Association of Banks, the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies, and the Hong Kong S.A.R. Licensed Money Lenders Association Limited (collectively "Industry Associations") under the Multiple Credit Reference Agencies ("MCRA") Model. Thus, it is neither regulated by these Industry Associations^[2] nor by ordinances related to the finance industry, such as the Money Lenders Ordinance (Chapter 163, Laws of Hong Kong) or the licensed money lenders' code of practice.

Findings and Contraventions

Background of Softmedia

8. According to Softmedia's website^[3], Softmedia was established in 1991 and focused on database establishment and interactive CD-ROM design. As network operating systems rapidly grew, Softmedia developed various new-generation software management systems for clients in fields such as loans, beauty salons, education, and retail, etc. Softmedia's clients included government departments, listed companies and small and medium-sized enterprises in various industries.
9. With the aim of providing services to money lending companies and borrowers with access to and processing of credit data, Softmedia developed two systems and a mobile application, respectively known as the TE Credit Reference System and the Loan Management System for money lending companies, and the "MyLoan" mobile application for borrowers. Softmedia also used independent cloud servers for each of its systems and the mobile application to store the data collected.

TE Credit Reference System

10. Softmedia stated that it established the TE Credit Reference System in January 2016, which was developed for the purpose of providing a platform on which money lending companies could assess the credit data of borrowers before deciding whether to approve or reject their loan applications. The TE Credit Reference System does not prescribe credit scores of individual borrowers.
11. As of December 2022, around 680 money lending companies participated in the TE Credit Reference System, which involved credit data of about 180,000 data subjects.

"MyLoan" Mobile Application

12. Borrowers can check their credit records through the "MyLoan" mobile application via its "View the TE credit report application" function.

TE Credit Reference System contained "personal data" as defined under the Ordinance^[4]

13. Softmedia stated that the TE Credit Reference System only involves the HKID numbers and credit data of borrowers (i.e., data subjects) and does not store their names, addresses, phone numbers, dates of birth, or other personal data. The HKID numbers stored in the TE Credit Reference System are transformed into codes by an algorithm instead of complete HKID numbers.
14. Softmedia explained that the process of transforming a HKID number into a code is irreversible. The actual HKID number of a borrower cannot be viewed in the TE Credit Reference System and the database only contains a set of codes with the corresponding credit data. Thus, Softmedia considered that the TE Credit Reference System does not contain any "personal data" of the borrowers.
15. The Commissioner disagreed with Softmedia's view that it is not holding any personal data. In the Commissioner's opinion, although Softmedia stores HKID numbers in the form of codes, based on the unique and invariable characteristics of an HKID number and the fact that the same code would always be generated after inputting the same HKID number into the TE Credit Reference System, the code concerned is an identifier assigned to a borrower by Softmedia for its operation. This identifier can uniquely identify the borrower, thus constitutes a "personal identifier"^[5] and also "data"^[6] as defined under the Ordinance.
16. From another perspective, Softmedia stated that the purpose of establishing the TE Credit Reference System is to provide reference data by way of a platform to money lending companies, so that they can make loan assessments based on the credit data of borrowers before deciding whether to approve or reject their loan applications. If the TE Credit Reference System did not hold personal data, the money lending companies could not achieve such purpose of making reference to the credit records of individual borrowers in assessing their loan applications.
17. With regard to the subject complaint, the money lending company acquainted with the complainant was able to identify the complainant by combining data from the TE Credit Reference System and the Loan Management System, and thereby discovered that his credit data had been accessed many times. This demonstrates how it is practicable for the money lending companies to directly or indirectly ascertain the identity of a data subject from the data mentioned above, which therefore constitutes "personal data" under the Ordinance.

Actual operation of accessing the TE Credit Reference System

18. According to Softmedia, a money lending company using the TE Credit Reference System must obtain a signed "Authorization Letter of TE Credit Information Inquirement" from the borrowers before it uploads and subsequently accesses any personal data of the borrowers on the TE Credit Reference System. The money lending company can access the TE Credit Reference System through its Loan Management System to make relevant inquiries. In the present case, the acquainted money lending company of the complainant learnt from the said channel that the complainant's credit data in the TE Credit Reference System had been accessed by eight money lending companies unacquainted with the complainant, and one of them had accessed his data three times within seven days.
19. With respect to the present complaint and the intervention of the PCPD, Softmedia made inquiries and found that none of the eight money lending companies involved could provide the complainant's signed "Authorization Letter of TE Credit Information Inquirement". Each provided a different explanation, such as "probably because of the recent follow-up with the complainant on his repayment status and made the loan inquiry"; "the complainant agreed to upload loan data to the database in 2020"; "the company's normal procedures would provide an authorisation letter"; "the complainant had inquired about the loan issue, but the application was not approved"; and "the authorisation letter should have been filled in, but the company was moving office at the time, the document handling process was in a mess". One of the companies even stated that "a former employee accessed the database without the company's authorisation and the employee was fired".
20. Although Softmedia required the money lending companies to declare that they had obtained the consent and authorization of the borrowers before they could access the credit data in the TE Credit Reference System, the investigation revealed that the money lending companies could freely access the credit data in the TE Credit Reference System without complying with this requirement. Softmedia did not appear to have examined the statements of consent and authorization letters from the borrowers that the money lending companies should have obtained. Thus, a contravention loophole is plainly apparent.
21. With regard to how Softmedia monitored the use of the TE Credit Reference System by the money lending companies in order to detect and investigate any abnormal or improper access or use of the TE Credit Reference System, Softmedia stated that the user agreement entered into between Softmedia and the money lending companies stipulated that "[t]he purpose of this database is for the [money lending companies] to access the past credit records of the borrowers such as loan applications, loan repayment completed, delayed repayment, repayment in arrears, payment settled after being chased, bad debts and so on, for reference". Softmedia therefore relies on the money lending companies abiding by the user agreement and using the TE Credit Reference System as intended, and claimed that it was not able to monitor each of the companies individually.
22. Softmedia stated that the money lending companies are responsible for monitoring their employees' use of the TE Credit Reference System, such as through assigning authorised access to the database, restricting use inside or outside of the company, and removing staff access rights. Softmedia has no right to interfere with the personnel management of money lending companies.
23. According to the information obtained by the Commissioner, from 2021 to March 2023, Softmedia received 66 complaints from borrowers who stated that their credit data were accessed by unknown money lending companies. Of these, 59 complaints (i.e., nearly 90%) were substantiated after investigation. However, Softmedia merely issued warning letters to the companies in breach or suspended their use of the TE Credit Reference System for several days. The level of penalty depends on the number of contravention(s). For example, a user will initially receive a warning letter after a first contravention and be suspended from accessing the TE Credit Reference System for one day; the user's access will be suspended for five days on its second contravention and for 15 days after a third contravention; and its use of the TE Credit Reference System will only be permanently terminated after a fifth contravention . These penalties brought about minimal hinderance on the operation of the money lending companies and lacked deterrent effect.

Softmedia Contravened Data Protection Principle 4(1)

Unauthorised Access to the Credit Data

24. Data Protection Principle 4(1) in Schedule 1 to the Ordinance provides that all practicable steps shall be taken to ensure that any personal data (including data in a form through which access to or processing of the data is not practicable) held by a data user is protected against unauthorised or accidental access, processing, erasure, loss, or use.
25. The participating money lending companies are only charged when they use the TE Credit Reference System (i.e. a money lending company can gain unlimited access to a borrower's credit data for five days with a payment of $2, and this five-day cycle can be repeated with no limits set in terms of payment or access). Thus, a money lending company can gain unlimited access to the credit data of a specific borrower as long as it declares that it has obtained authorisation from the borrower and pays the fees. The investigation revealed that Softmedia neither restricted the number of times the money lending companies can access a borrower's data nor regularly monitored their use of the TE Credit Reference System. Softmedia did not, for example, actively monitor or detect any abnormal access by money lending companies through audit trails.
26. The Commissioner understands that money lending companies may bear higher financial risks than banks when granting loans to individuals. They may have to closely track a borrower's financial status and credit record. However, this does not mean that money lending companies may access borrowers' credit data without restrictions. As the operator of the TE Credit Reference System, Softmedia should strike a reasonable balance between the actual needs of the money lending companies and the protection of personal data privacy and formulate measures to regulate and monitor the use of the TE Credit Reference System by these companies, such as limiting the maximum number of times they can access the credit data of a borrower within a certain period, to ensure compliance with Data Protection Principle 4(1) of the Ordinance.
27. This complaint also revealed that at least eight money lending companies unacquainted with the complainant, let alone with his consent or authorisation, accessed his credit data. Regrettably, Softmedia relies on the money lending companies to declare whether they have obtained the consent and authorisation of the borrowers without considering the possibility that certain money lending companies may make use of this loophole to gain unrestrained access to the credit data. This arrangement falls far below the general standard and is highly disappointing, both in terms of compliance with legal requirements and the protection of borrowers' privacy.

Weak Password Management

28. According to the information provided by Softmedia, the money lending companies can only log in to the TE Credit Reference System via its Loan Management System by inputting a password. Although Softmedia claimed that it has set specific requirements regarding the minimum length and complexity of these passwords, the money lending companies can in fact use a password that is considered weak in terms of length and complexity^[7].
29. In addition, Softmedia does not set restrictions in its System requiring the money lending companies to regularly change their passwords. The money lending companies can set a password in the System as they wish and the use of the same password over a long period means that employees can potentially obtain the password with ease to enter and access the TE Credit Reference System without authorisation by the companies and continue to do so after leaving the companies, rendering the security function of the password virtually useless.

Conclusion

30. The investigation revealed that the TE Credit Reference System is akin to an open credit data platform used by licensed money lenders. Licensed money lending companies can have unlimited access to credit data at a very low fee. The passwords of the TE Credit Reference System can be freely set by the money lenders, and it is doubtful whether the TE Credit Reference System can in fact effectively prevent improper or illegal logins.
31. This situation raises concern, as the TE Credit Reference System contains personal data of about 180,000 borrowers and up to now, the TE Credit Reference System is used by as many as 680 money lending companies. It is therefore a sizeable credit reference database. Credit data is generally regarded as sensitive personal data, and any improper or unauthorised access to them can result in serious financial losses and violate the privacy of the data subjects concerned. Softmedia, as the operator of the credit reference database, apart from providing accurate credit data and highquality services to the money lending companies and data subjects, should also take appropriate security measures in accordance with the requirements of the Ordinance. It should continuously monitor and review the use of the database so that it can detect and investigate any abnormal or improper access or use of the data so as to meet the expectations of the general public and protect the personal data held by Softmedia against unauthorized or accidental access, processing or use.
32. The investigation revealed that the complainant's personal data was accessed, processed, or used without his authorisation because Softmedia did not take appropriate security measures to monitor and manage the access to and use of the TE Credit Reference System by money lending companies, which is regrettable. In addition, Softmedia has not adopted a strong password policy, or set expiration dates for passwords, notwithstanding the amount and nature of the relevant data. The current operation does not meet the basic requirements of network security, which shows that Softmedia has not taken adequate measures to protect personal data. In the present case, the Commissioner considers Softmedia to have failed to take all practicable steps to protect the personal data in its TE Credit Reference System against unauthorized or accidental access, processing or use and is of the opinion that Softmedia has contravened the requirements of Data Protection Principle 4(1) on the security of personal data.

Softmedia Contravened Data Protection Principle 2(2)

Softmedia Retained the Credit Records of Those Who Had Completed their Repayments for More Than Five Years

33. Data Protection Principle 2(2) of the Ordinance provides that all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used.
34. The Code of Practice on Consumer Credit Data^[8] ("the Code") was issued for the purpose of providing practical guidance with respect to any requirements under the Ordinance imposed on data users. In particular, paragraphs 3.3, 3.3.1, 3.3.2, 3.4A and 3.4B of the Code specify the retention period of account repayment data (including account repayment data revealing or not revealing material default^[9]) in the credit reference agency's database. In case of material default, the credit reference agency can only retain the account repayment data in its database up to five years either from the date of final settlement of the amount in default or from the date of the individual's discharge from bankruptcy, whichever is earlier.
35. Softmedia stated that for a borrower to delete credit data from the TE Credit Reference System, it must first establish that the borrower (i) has completed all repayments and (ii) at least five years have passed from the date of final settlement of the debt. If these conditions are satisfied, the borrower may request the money lending company to notify Softmedia to delete the relevant credit data, but Softmedia will not proactively delete the credit data from the TE Credit Reference System.
36. Softmedia confirmed that the TE Credit Reference System holds over 50,000 credit records of which at least five years have passed from the date of final settlement of the debt.
37. The Commissioner understands that the industry has to use this material default information to assess whether to grant loans, and the absence of such payment information may impair the ability of money lending companies to assess a borrower's financial situation. Nevertheless, such consideration should not be a reason for indefinite retention of a borrower's credit record by a credit reference agency which is noncompliant with the requirements of Data Protection Principle 2(2). Softmedia must therefore set a retention period for credit data if repayments have been completed, and such data cannot be retained indefinitely.

Conclusion

38. Data Protection Principle 2(2) of the Ordinance provides that personal data should not be kept longer than the period that is necessary for the fulfilment of the purpose for which the data are or are to be used. Paragraphs 3.3, 3.3.1 and 3.3.2 of the Code provide that credit reference agencies can only retain account repayment data in their database for five years after the date of final settlement or the date of discharge from bankruptcy, whichever is earlier. Softmedia clearly did not meet the requirements of the Code or implement a policy of credit record deletion after repayments. It still retains over 50,000 records of borrowers who completed repayments more than five years ago. Softmedia did not comply with the requirements of the Ordinance and also put the personal data of borrowers at risk. Thus, in the opinion of the Commissioner, Softmedia has contravened Data Protection Principle 2(2) as regards the retention period of personal data in this case.

Enforcement Actions

39. The Commissioner is of the opinion that Softmedia has contravened Data Protection Principles 4(1) and 2(2) of the Ordinance on the security of the TE Credit Reference System and the retention of credit records. She has therefore served an Enforcement Notice on Softmedia pursuant to the powers conferred on her by Section 50(1) of the Ordinance, directing it to take the following actions to remedy and prevent recurrence of the relevant contraventions:
    1. To delete all credit data in the TE Credit Reference System in respect of which five years or more have been lapsed from the date of the final settlement of the loan, regardless of whether the data subject has requested Softmedia directly or through the money lending company for the deletion of the relevant data;
    2. To formulate policies and procedures to ensure that the retention period of credit data in the TE Credit Reference System meets the requirements of the Code including (i) credit data regarding completed repayments will not be retained for more than five years unless as required by other legal requirement(s); (ii) credit data showing a default payment for not exceeding 60 days will not be retained for more than five years; and (iii) the relevant credit data is immediately deleted after the expiration of the retention period (unless as required by other legal requirement(s));
    3. To formulate personal data protection policies and procedures and adopt measures to regularly review whether employees have complied with these policies and procedures when carrying out their duties;
    4. To review and impose restrictions on the number of times money lending companies can access the TE Credit Reference System, and formulate monitoring measures to detect any non-compliant access;
    5. To formulate policies and measures to verify that the money lending companies have obtained authorisations from the borrowers before accessing their data in the TE Credit Reference System;
    6. To formulate and implement a strong password management policy for the TE Credit Reference System; and
    7. To provide documentary proof to the Commissioner within three months from the date of the Enforcement Notice, proving that the instructions specified in (i) to (vi) above have been complied with.

Recommendations

40. Section 48(2) of the Ordinance provides that the Commissioner may, after completing an investigation and if she is of the opinion that it is in the public interest to do so, publish a report setting out the results of the investigation, any recommendations and other comments arising from the investigation as she sees fit to make.
41. This investigation involved the personal data of a significant number of members of the public. Therefore, in addition to serving an Enforcement Notice pursuant to Section 50(1) of the Ordinance, the Commissioner would like to make the following observations and recommendations through this report to Softmedia and other operators of credit reference databases.

The Commissioner's Observations

42. Credit data is currently an important indicator of an individual's financial credibility and borrowing capacity. With the development of the digital economy, the proper handling and protection of credit records are essential for protecting personal data privacy and ensuring financial data security. The public will reasonably expect that their personal credit data, whether positive or negative, would be adequately protected by credit reference agencies and would not be subject to unrestricted access by unauthorised or unrelated organisations.
43. The Commissioner noted that the current operation and management of the TE Credit Reference System is neither regulated by the industry code nor the relevant laws of the financial sector, including the Money Lenders Ordinance (Chapter 163 of the Laws of Hong Kong) and the code of practice of licensed money lenders, and the situation is far from satisfactory. To ensure the data security of the database and the protection of borrowers' personal data privacy, the Commissioner recommends that the operation and management of any credit reference database be regulated or supervised through laws, regulations, guidelines, industry codes or licensing systems. It is of crucial importance that appropriate penalties should be imposed on wrongdoers, that the privacy of borrowers should be adequately protected, and the security of the database should be properly safeguarded.

Implementing a Personal Data Privacy Management Programme

44. Awareness of personal and credit data protection is already deeply ingrained in the minds of the general public. Data users have the undeniable responsibility to take effective measures to protect such data. The Commissioner encourages organisations to implement a "Personal Data Privacy Management Programme"^[10] through which personal data privacy protection can be incorporated into their data governance responsibilities. They should bear in mind the importance of personal data protection in daily operations and adopt a top-down approach in executing open and transparent information policies and standing instructions, so as to signal their determination in exemplifying good corporate governance. This will benefit and help an organisation to earn its reputation, gain trust of its customers and build a positive image of compliance with laws and regulations.

Appointing Data Protection Officer(s)

45. The Commissioner recommends that the operators of the credit database appoint a data protection officer to be responsible for overseeing compliance with the requirements under the Ordinance and implementing the aforementioned "Personal Data Privacy Management Programme", who should regularly report to management. A data protection officer shall also enhance staff awareness of personal data privacy protection, ensure the implementation of any personal data protection policies, and develop a culture of respecting and protecting personal data privacy.

Appointing an Independent Compliance Auditor

46. The Commissioner recommends as a good practice that credit reference agencies engage an independent compliance auditor to conduct regular compliance audits on the mechanism and means of providing credit reference services including assessing the security of the credit data held in their databases and whether the measures they have taken to protect the security of borrowers' credit data are adequate.

Adopting Strict Penalties for Contravention

47. In the present case, the Commissioner considers that the punishment by Softmedia of merely suspending the contravening money lending companies from using the TE Credit Reference System for a few days was inadequate.
48. As money lending companies require the use of the data in the credit database as reference before approving loan applications, the Commissioner considers that any companies in contravention should not be lightly allowed to continue to use the TE Credit Reference System. Apart from limiting the number of periods or times they can access the credit databases, other penalties (for example, increasing the access fee or fines, etc.) should be considered, and the operators of the credit databases should, depending on the circumstances, consider terminating the access rights of the relevant money lending companies.

Annex 1

Authorization Letter of TE Credit Information Inquirement

Authorization Letter of TE Credit Information Inquirement
TE信貸資料查詢授權書

I, User's Name (HKID No./Other Document No. aaa) hereby authorize **** Loan Company Limited to inquire my related loan information for processing the loan application and repayment within the "TE Credit Reference System "hereafter. "Information" includes applied amount, installment periods, approval, rejection, payout, overdue payment, arrears, OCA, bad debt, and interest arrears. (Exclude the personal information: phone number, address and date of birth)

本人 User's Name (香港身份證 / 其他證件號碼：aaa) 僅此同意及授權 ****財務有限公司 是次及將來有權查詢本人於 TE信貸資料庫內由 TE信貸資料庫其他會員 (即信貸資料提供者) 提供的信貸資料，信貸資料包括本人之申請金額、期數、批核、拒絕、放款、逾期還款、拖欠、交追數、撇帳及現時尚欠本息的部分或全部資料 (但不包括本人之電話、住址、出生日期)，用作審批貸款申請及了解日後還款情況之用途。

Declaration 聲明

Inquiry / change of personal particulars

The Borrower have right to request his/her personal credit report from Softmedia Technology Co. Ltd., who operates "TE Credit Reference System", or check the report through Application "MyLoan".

查詢 / 更改個人借貸資料

借款申請人日後亦可向提供 TE 信貸資料庫服務的機構 Softmedia Technology Co. Ltd. 要求索取個人信貸資料報告或透過 MyLoan App 註冊及認證後自行查閲自己的信貸資料報告。

If any information of the TE credit report is found to be incomplete, misleading or inaccurate, please contact Softmedia Technology Co. Ltd. by email support@softmedia.hk.

如發現信貸資料報告的資料有錯漏或不實，可聯絡 Softmedia Technology Co. Ltd. 作出跟進，電郵 support@softmedia.hk

Requirement of TE credit report from Softmedia Technology Co. Ltd. might charge a service fee.

透過索取或MyLoan App 查詢信貸資料報告，Softmedia Technology Co. Ltd. 會收取適當及合理的費用。

The Chinese version shall prevail.

英文譯本僅供參考，合同以中文版本為準。

---

Signature 簽署

Name 姓名	:	User's Name
Date 日期	:

---

1. https://www.hkab.org.hk/DisplayWhatsNewsAction.do?lang=en&id=7611&ss=1
2. According to these Industry Associations, "for consumers, the MCRA Model will enhance the governance of data access and use by the selected credit reference agencies with a more stringent data security code... sets out the standards and requirements for the selected credit reference agencies and subscribed members to comply on various aspects including corporate governance, internal control, use and protection of consumer credit data."
3. https://softmedia.hk/
4. Under Section 2(1) of the Ordinance, "personal data" is defined as any data relating to a living individual in a form in which access to or processing of the data is practicable, and from which it is practicable for the identity of the individual to be directly or indirectly ascertained.
5. Under Section 2(1) of the Ordinance, "personal identifier" means an identifier (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual.
6. Under Section 2(1) of the Ordinance, "data" means any representation of information (including an expression of opinion) in any document, and includes a personal identifier.
7. Not disclosed in this report for security reasons.
8. For details, please refer to the "Code of Practice on Consumer Credit Data" published by the PCPD at: https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/CCDCode_2013_e.pdf
9. In the Code, "Material default" means a default in payment for a period in excess of 60 days (see paragraph 1.20).
10. For details, please refer to "Privacy Management Programme—A Best Practice Guide" published by the PCPD at: https://www.pcpd.org.hk/english/publications/files/PMP_guide_e.pdf