Personal data of 106 million visitors to Thailand exposed online

BANGKOK (The Nation/Asia News Network): The personal details of more than 106 million international travellers to Thailand were exposed on the web without a password last month, Comparitech researchers report. The database included full names, passport numbers, arrival dates, and more.

Bob Diachenko, who leads Comparitech’s cybersecurity research, discovered the database on Aug 22, and immediately alerted the Thai authorities, who acknowledged the incident and secured the data the following day.

Diachenko surmises that any foreigner who travelled to Thailand in the last decade might have had their information exposed in the incident. He even confirmed the database contained his own name and entries to Thailand.

Timeline of the exposure

Dates on the exposed records ranged from 2011 to the present day. Here’s what we know happened:

Aug 20: The database was indexed by search engine Censys.

Aug 22: Diachenko discovered the unprotected data and immediately took steps to verify and alert the owner in line with our responsible disclosure policy.

Aug 23: Thai authorities were quick to acknowledge the incident and swiftly secured the data.

Notably, the IP address of the database is still public, but the database itself has been replaced with a “honeypot” as of the time of writing. Anyone who attempts access at that address now receives the message, “This is honeypot, all access were logged.” [sic]

Thai authorities responded quickly to Diachenko’s disclosure, though we do not know how long the data was exposed before being indexed. Our honeypot experiments show attackers can find and access unsecured databases in a matter of hours.

Thai authorities maintain the data was not accessed by any unauthorised parties.

What data was exposed

The Elasticsearch database totalled about 200GB and contained several assets, including a collection of more than 106 million records, each of which included some or all of the following information:

- Date of arrival in Thailand

- Full name

- Sex

- Passport number

- Residency status

- Visa type

- Thai arrival card number

Dangers of exposed data

Any foreigner who travelled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicised, so for them there are obvious privacy issues.

None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included.

Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own.

Why data incident was reported

Comparitech’s cybersecurity research team regularly scans the web for unprotected databases containing personal data. When we find such a database, we immediately begin an investigation to find out to whom it belongs, what information it contains, who could be affected, and the potential consequences for data subjects.

Once we identify and verify the owner of the data, we alert them according to our responsible disclosure policy.

Once the data has been secured, we publish a report like this one to curb harm to end users and raise cybersecurity awareness.

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 46
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights

Thailand , travellers , data , breach


Next In Aseanplus News

White paper lists China's success in tackling climate change
Thailand Pass will be a boon to tourism industry, promises minister
Cambodia to waive hotel quarantine for certain international tourists
Japan pledges to work with Asean toward free, open, peaceful Indo-Pacific
Philippines Covid patients may get Merck’s anti-viral pill early
Singapore university creates first laser-powered device able to trap and move a single virus
Seven more Covid deaths, 111 infections in Cambodia
Australia promises more aid to Asean, seeks stronger relations
I’m against vote buying,’ clarifies presidential candidate Robredo
Water tycoon is China's richest as wealth crackdown batters Jack Ma

Others Also Read