Researcher Finds Exposed Data of 106 Million Thai VisitorsResearcher: Decade-Old Exposure Is a Privacy Concern
Comparitech security researcher Bob Diachenko has discovered an unsecured database containing personal information of 106 million foreign nationals who have visited Thailand in the past decade. The 200GB database, which has now been secured, has not been accessed by unauthorized personnel, Thai authorities told Comparitech.
The exposed personal information included travelers' full names, passport numbers, residency status, dates of arrival in Thailand, immigration arrival card numbers, and visa types, Diachenko tells Information Security Media Group. No financial or contact information was exposed.
Diachenko did not identify the owner of the database. He also did not categorially accept or deny that the database may belong to the Thai immigration department or the Tourism Authority of Thailand. He says: "Based on what we saw, it belongs to many departments, all coming up together."
Diachenko, who discovered the data exposure on Aug. 22, says he was unable to ascertain how long the data had been unsecure.
The exposed data, he says, was an Elasticsearch database, which was indexed this year on Aug. 20 by search engine Censys. The earliest record found in the database was from November 2010, he says.
While it is possible that anyone with the necessary know-how could have accessed the database, Diachenko says Censys' output did not make the task easy.
"Censys' output structure is not that user-friendly, compared to, say, Shodan. This means that there is an additional step to verify the data. This implies that the indexes and contents of the database were not easily accessible," he says.
More than an identity theft issue, the exposure is a privacy concern, says Diachenko.
Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive, he explains. "For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own. However, in combination with other data - name, address, email, phone number, etc. - cross-referenced from other leaks, someone could come up with a perfect profile for a phishing attack," he says.
While people are often quick to dismiss data exposures that don't leak credit card or Social Security numbers, the sort of information exposed in the breach detailed by Comparitech is a gold mine for social engineers, says Erich Kron, security awareness advocate at security training platform KnowBe4.
With this information, very compelling spear-phishing emails or vishing calls can be made, using the information as a background story to get a victim to click on a malicious link, open an infected document or give up sensitive information, he says.
While the IP address the database was discovered on is still public, Thai authorities are leveraging it as a honeypot to monitor and trap threat actors who may have had knowledge of the leak, according to Comparitech.
"Anyone who now attempts access to the said address is greeted with a message, "This is honeypot, all access were logged," the report says.
A simple check of critical infrastructure - such as public IPs - using IoT search engines can save cost and prevent risks, Diachenko says.
"IoT search engines are a double-edged sword: They can be used against data owners but are also powerful tools to keep an eye on the corporate environment and make sure company assets are not exposed," he says.
Kron adds that organizations must make security a top priority when collecting and storing significant amounts of data. "Policies, procedures and technical controls should all be used to ensure that permissions to access such data are restricted, and remain that way," he adds.
Other Recent Data Breaches
Thailand has witnessed several high-profile data breaches in the recent past.
In May 2021, Asia Assistance, a subsidiary of Paris-based multinational insurance company AXA, was hit by a ransomware attack. The Avaddon group took responsibility for the attack and claimed on its leak site that it had stolen 3TB of sensitive data from AXA's Asian operations. The attack particularly affected its IT operations in Thailand, Malaysia, Hong Kong and the Philippines.
In August, Bangkok Airways confirmed a data breach that apparently compromised personally identifiable information of an unstated number of passengers. The LockBit ransomware gang claimed credit for the attack (see: Bangkok Airways Execs Apologize for Data Breach).
Thailand in 2020 fell nine places, to the 44th position, on the International Telecommunication Union's Global Cybersecurity Index, compared to 2019.
At least 200 pieces of critical information infrastructure, across seven sectors, urgently need to adopt measures to safeguard the country against cyberattacks, news agency Bangkok Post reported, citing Thailand's National Cyber Security Agency.