Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/5

 Actual operation of accessing the TE Credit Reference System

According to Softmedia, a money lending company using the TE Credit Reference System must obtain a signed "Authorization Letter of TE Credit Information Inquirement" from the borrowers before it uploads and subsequently accesses any personal data of the borrowers on the TE Credit Reference System. The money lending company can access the TE Credit Reference System through its Loan Management System to make relevant inquiries. In the present case, the acquainted money lending company of the complainant learnt from the said channel that the complainant's credit data in the TE Credit Reference System had been accessed by eight money lending companies unacquainted with the complainant, and one of them had accessed his data three times within seven days.

With respect to the present complaint and the intervention of the PCPD, Softmedia made inquiries and found that none of the eight money lending companies involved could provide the complainant's signed "Authorization Letter of TE Credit Information Inquirement". Each provided a different explanation, such as "probably because of the recent follow-up with the complainant on his repayment status and made the loan inquiry"; "the complainant agreed to upload loan data to the database in 2020"; "the company's normal procedures would provide an authorisation letter"; "the complainant had inquired about the loan issue, but the application was not approved"; and "the authorisation letter should have been filled in, but the company was moving office at the time, the document handling process was in a mess". One of the companies even stated that "a former employee accessed the database without the company's authorisation and the employee was fired".

Although Softmedia required the money lending companies to declare that they had obtained the consent and authorization of the borrowers before they could access the credit data in the TE Credit Reference System, the investigation revealed that the money lending companies could freely access the credit data in the TE Credit Reference System without complying with this requirement. Softmedia did not appear to have examined the statements of consent and authorization letters from the borrowers that the money lending companies should have obtained. Thus, a contravention loophole is plainly apparent. 