Thailand’s cybersecurity neglect leads to personal data breaches
BANGKOK – Thailand’s cybersecurity readiness has been called into question after reports recently leaked tourists’ personal information online, potentially undermining a much-needed recovery in the key sector.
According to cybersecurity research firm Comparitech, the information from around 106 million visitors to Thailand was available to everyone on the Internet earlier this week. The database was discovered on August 22nd by one of the company’s researchers, Bob Diachenko. The Thai authorities removed the data the next day after being alerted by Diachenko.
The 200 gigabyte database contained each visitor’s full name, gender, passport number, residence status, visa type, Thai arrival card number, and arrival date in Thailand. The data on the record ranged from 2011 through this year.
“We don’t know how long the data was disclosed before it was indexed,” said Comparitech. The National Cybersecurity Agency of Thailand confirmed the violation but said it had found no attempts to sell the data over the internet.
The violation comes at a particularly inopportune time for Thailand as the aim is to gradually reopen it to visitors who have been vaccinated against COVID-19. Phuket, an island in the south, is their so-called sandbox experiment, which has welcomed 35,068 tourists since opening its doors fully to vaccinated visitors in July.
The government now wants to open five more provinces, including Bangkok, to vaccinated tourists from October. That plan is pending, however, as the vaccination program in Bangkok and these provinces will not expand as much as the government had hoped to make a reopening feasible.
The revitalization of tourism is vital to the recovery of Southeast Asia’s second largest economy, as the sector and related businesses represented 20% of Thailand’s gross domestic product before the pandemic broke out. Tourists could now be put off by Thailand’s poor cybersecurity.
The data breach is due in large part to the delayed implementation of the Data Protection Act. This law was approved by the former junta government in February 2019 and was due to come into effect in full in May 2020, but has been postponed twice to give the organizations time and financial headroom to intensify their efforts. It is now expected to come into force on June 1st, 2022.
Had the law been introduced as originally planned, both the public and private sectors would have increased their cybersecurity game. According to the law, violations must be reported immediately to the National Cybersecurity Agency or parties face fines of 200,000 baht ($ 5,960). Companies that have been hacked must provide evidence of adequate cyber-attack protection or face legal sanctions.
The urgency of the implementation has been made clear by the recent cyber attacks on companies. CP Freshmart, a retail company owned by Charoen Pokphand Foods, said on Sept. 7 that the user information system was hacked. Around 594,585 items, including passwords, full names, cell phone numbers, emails, and addresses, were put up for sale on a data black market.
The company insisted that no credit card and financial information be stolen. The Charoen Pokphand Group is Thailand’s largest conglomerate.
The regional airline Bangkok Airways has been another recent victim. It emailed some customers on Aug. 28 informing them that passenger names, nationalities, phone numbers, emails, addresses, passport details, historical travel dates and some credit card information had been stolen.
Indonesia has suffered similar embarrassment recently. In early September, Indonesian President Joko Widodo’s COVID-19 vaccine certificate was leaked online, including his national identity number, the type of vaccine he received and the time it was received. The data was accessible through the Pedulilindeni app, the government’s official vaccine monitoring app.
The government tried to downplay privacy concerns on this app by saying that the president’s national identity number was already available on the General Electoral Commission website while his vaccination date was already fully reported.
“The government urges the public to remain calm and not be provoked by inappropriate information related to the PeduliLindei system,” it said.
The leak came just days after encryption provider vpnMentor said it discovered a breach in the Indonesian government’s test-and-trace app for people entering Indonesia. “The app developers failed to implement adequate data protection protocols and disclosed the data of over 1 million people on an open server,” the company said. The leaked data included passenger ID and COVID-19 test results.
“Our team discovered [the app’s] Records without obstacles, “it said.
Additional coverage from Shotaro Tani in Jakarta