A tech company was accused by the privacy watchdog yesterday of allowing 680 money-lending companies to check the credit data of about 180,000 borrowers without authorization.

The Office of the Privacy Commissioner for Personal Data’s investigation was triggered by a complainant in December 2021, who said his credit data in the TE Credit Reference System, operated by local firm Softmedia Technology, was accessed a number of times by eight money-lending companies without his knowledge or consent.

The complainant said the credit reference system did not put in place adequate security measures to protect his personal data.

The privacy watchdog said Softmedia failed to adopt a robust password policy or set expiration dates for passwords.

The company was also found to retain over 50,000 credit records of borrowers who had completed their repayments more than five years ago.

It contravened the relevant requirement of the Personal Data (Privacy) Ordinance and failed to take all practicable steps to protect the personal data in the credit reference system against unauthorized or accidental access, processing or use, the watchdog found.

Softmedia received 66 complaints between 2021 and March of this year about credit data being accessed by unidentified money lenders and 59 complaints were substantiated.

The company was also found to allow “unlimited access” to the credit reference system at a “very low fee” of HK$2 without ensuring that consent had been obtained from the borrowers.

Privacy commissioner Ada Chung Lai-ling said the complaints lodged could be the “tip of the iceberg.”

She added: “When the money lender pays HK$2, it will be provided unlimited access to the credit reference system for five days.

“It is regrettable that Softmedia did not regularly monitor money lenders’ access to, or use of, the credit reference system.”

She said that although the borrowers’ information was usually stored in the database upon their approval, it was unknown whether the complainants had agreed to do so.

Despite Softmedia claiming that its TE Credit Reference System is Hong Kong’s largest database of its kind, Chung said the system was not one of the service providers under the Multiple Credit Reference Agencies Model.

This means that it is not regulated by any association or laws related to the finance industry, which Chung said was “far from satisfactory.”

The office has served an enforcement notice on Softmedia, directing it to establish policies and measures in the next three months to ensure money lenders were authorized by borrowers before accessing their data, as well as review and limit lenders’ access to the database.

Chung said the office may consider initiating criminal prosecution if the company violates the notice, with a maximum penalty of imprisonment of two years and a HK$50,000 fine upon conviction.

Source: The Standard