THAILAND: Research by a leading cybersecurity company has found that a database containing the personal information of 106 million international visitors to Thailand has been blocked online for a period of 10 years.
A screenshot of some of the exposed data. Image: Comparitech
The unsecured database of international travel records was left open on the Internet without a password, researchers from Comparitech confirmed. The data on the record ranged from 2011 to the present day.
Travelers’ personal information included arrival date in Thailand, full name, gender, passport number, residence status, visa type and Thai arrival card number.
Bob Diachenko, who heads Comparitech’s cybersecurity research, discovered the database on August 22, 2021 and immediately alerted the Thai authorities, who confirmed the incident and backed up the data the next day.
Diachenko suspects that information about every foreigner who has traveled to Thailand in the past decade may have been leaked in the incident. He even confirmed that the database contained his own name and entries for Thailand.
The database was indexed by the Censys search engine on August 20, and Diachenko discovered the unprotected data two days later. He took immediate steps to review and alert the owner in accordance with the company’s responsible disclosure policy. The Thai authorities confirmed the incident on August 23 and quickly backed up the data in due course.
In particular, the IP address of the database is still public, but at the time of going to press the database itself was replaced by a honeypot. Anyone who tries to access this address now receives the message “This is honeypot, all accesses have been logged.” [sic]
The Thai authorities reacted quickly to Diachenko’s disclosure, claiming that the data was not accessed by unauthorized persons. However, it is not known how long the data was made available before it was indexed. “Honeypot experiments” carried out by Comparitech show that attackers can find and access unsecured databases within a few hours.
“Any foreigner who has traveled to Thailand in the past ten years will likely have an entry in the database,” said Comparitech tech writer Paul Bischoff. “There are many people who would prefer their travel history and residence status not to be published, so there are obvious privacy issues for them.”
None of the information disclosed posed a direct financial threat to the majority of data subjects as it did not include any financial or contact information, Bischoff said.
“Although passport numbers are unique to individuals, they are issued continuously and are not particularly sensitive. For example, a passport number cannot be used to open bank accounts or travel alone on someone else’s behalf, ”he said.