Personal data of 106 million travelers to Thailand exposed online
Personal data of more than 106 million international travelers who had visited Thailand in the last decade have been found exposed online last month. Thai authorities were informed immediately, on August 22, and claimed to have secured the data the following day.
Comparitech said in a report that its head of cybersecurity research, Bob Diachenko, found a database in August containing the personal information of travelers to the kingdom. He said “any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident”, including their name, passport number, and residency status.
In fact, Comparitech said Diachenko also found his own name and details about his entries into Thailand on the database, which contained information dating back to 2011. “However we do not know how long the data was exposed prior to being indexed,” said the report.
Thai authorities “maintain the data was not accessed by any unauthorized parties”, it added. Thailand’s Cyber Crime Investigation Bureau said it was unaware of the incident but was looking into it.
Timeline and the type of data exposed
Dates on the records ranged from 2011 to the present day. The exposure started on August 20, 2021, when the database was indexed by search engine Censys. Then by August 22, Diachenko discovered the unprotected data and immediately took steps to verify and alert the owner in accordance with our responsible disclosure policy.
Within 24 hours, on August 23, Thai authorities acknowledged the incident and swiftly secured the data. Notably, the report claims the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message, “This is a honeypot, all access was logged and our honeypot experiments show attackers can find and access unsecured databases in a matter of hours.”
The reports said the Elasticsearch database totaled about 200GB and contained several assets, including a collection of more than 106 million records, each of which included, date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number. “None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included,” the report stated.
To be frank, the Thai government is no stranger to data leaks and information breaches. Back in June this year, a government website for foreigners to sign up for the Covid-19 vaccine was found to be revealing the names and passport numbers of prospective recipients. The site was taken down soon after.