Softmedia Technology Company, the operator of the TE Credit Reference System, has been found in breach of privacy laws after users reported unauthorized access to their credit data by moneylenders. The Office of the Privacy Commissioner for Personal Data (PCPD) stated that Softmedia failed to implement appropriate security measures, violating the Personal Data (Privacy) Ordinance. The TE System, used by 680 moneylending companies and containing data on 180,000 borrowers, was accessed without consent, leading to the PCPD issuing enforcement notices. Softmedia is directed to remedy contraventions, delete credit data, and prevent future breaches.
The PCPD’s investigation was triggered by a complaint from a user who reported unauthorized access to their credit data by eight moneylending companies. The TE Credit Reference System, established in 2016, provides borrowers’ credit data for reference by moneylenders. The PCPD found that Softmedia did not actively delete credit data, and there were instances where data persisted five years after borrowers had completed repayment, violating privacy laws. The enforcement notices require Softmedia to address the contraventions and actively delete credit data, particularly for borrowers who paid their loans more than five years ago.
Softmedia charged moneylenders HK$2 for unlimited checks on a borrower within five days, but failed to review proofs of consent provided by the moneylenders, allowing unauthorized access. The PCPD highlighted that operations of credit reference platforms are not regulated by financial industry-related legislation, emphasizing the need for regulation, including legislation, guidelines, or licensing systems. Ada Chung, the Privacy Commissioner for Personal Data, called for measures to safeguard user privacy and prevent similar contraventions in the future.
