Thread: Personal details of 106mn visitors to Thailand exposed online for 10 years

THAILAND: Research by a leading cyber security firm has revealed that a database containing the personal information of 106 million international visitors to Thailand was left exposed online for a period of 10 years.

The unsecured database containing international travel records was left exposed on the web without a password, researchers from Comparitech confirmed. Dates on the records ranged from 2011 to the present day.


Personal information of travellers included date of arrival in Thailand, full name, sex, passport number, residency status, visa type and Thai arrival card number.


Bob Diachenko, who leads Comparitech’s cybersecurity research, discovered the database on Aug 22, 2021 and immediately alerted the Thai authorities, who acknowledged the incident and secured the data the following day.


Diachenko surmises that any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident. He even confirmed the database contained his own name and entries to Thailand.


The database was indexed by search engine Censys on Aug 20 with Diachenko discovering the unprotected data two days later. He immediately took steps to verify and alert the owner in accordance with the company’s responsible disclosure policy. Thai authorities acknowledged the incident on Aug 23 and swiftly secured the data in due course.




Notably, the IP address of the database is still public but, at time of press, the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message, “This is honeypot, all access were logged.” [sic]


Thai authorities responded quickly to Diachenko’s disclosure and maintain the data was not accessed by any unauthorised parties. However it is unknown how long the data was exposed prior to being indexed. ‘Honeypot experiments’ conducted by Comparitech show attackers can find and access unsecured databases in a matter of hours.


“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database,” said Comparitech’s tech writer Paul Bischoff. “There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues.”


None of the information exposed poses a direct financial threat to the majority of data subjects as no financial or contact information was included, said Bischoff.


“Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own,” he said.


Personal details of 106mn visitors to Thailand exposed online for 10 years

On 'ya Thailand

Originally Posted by misskit

Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive.

No prob if you need photo page just pop down to my local immigration where my records and all other foreigners are handed out as scrap paper.

Luckily some entered by the back door on a $500 Cambo investor laissez-pisser

What with the Bangkok Airways breach as well, the poor fuckers won't know which data to use.

A bunch of amateurs in charge of your personal details...and you can't opt out from their mess.

As long as there's no consequences of a data breach, I don't see them working on securing their systems ...

Originally Posted by Farang Ky Ay

I don't see them working on securing their systems ...

...even something as simple to manage as the 90-day online check-in is down (again)...

Perhaps they wish to curate these final visitors as an historical archive of when welcoming locals greeted happy tourists who returned many times with very light regulation.

I recall wild times in 1990s living in Soi 22, a cab seldom more than 50 baht anywherepubs clubs open all night, A single man could have a slapper dinner for 15 baht, or a buffet in the Imperial hotel with teh Qantas gals was around $5 oh it was freeflow for sure.

Oh happy it was to be frisky and at large in the city that nver slept, Soi nana Hookers and hookahs, Khao Sarn a non stop hippy carnival of drunk/stoned backpacckerettes who'd never seen the delights of a punting pole up a Thonburi klong by moonlight. 1st class air con sleeper on the all night bar and shagathon direct to Penang, You could go all the way in the day !

Originally Posted by Farang Ky Ay

A bunch of amateurs in charge of your personal details...and you can't opt out from their mess.

As long as there's no consequences of a data breach, I don't see them working on securing their systems ...

It actually wasn't them.

They had outsourced the work (presumably a well padded contract) and it was the IT services company that left the data exposed.

Originally Posted by Farang Ky Ay

^ You're still responsible for the things you outsource, to do so you state a few things in the contract about security (among other things), and even go check their facility to ensure it respects these standards.

I actually worked on this in the past, had to fly to NY and San Francisco to check these kind of things to ensure the contractor was sufficiently secure to store my client's data. And then went back there 3 years later to make sure things were still secure.

Whoa there. Are you suggesting the Thais didn't perform due diligence?

How dare you.

^ that was my point if nothing force them to perform due diligence, such as fines and compensation to the people whose data have been leaked, they won't do it...it's not as if they care about their image so yeah need to have a stick to whip them when/if they fail to secure data.

Originally Posted by Farang Ky Ay

^ that was my point if nothing force them to perform due diligence, such as fines and compensation to the people whose data have been leaked, they won't do it...it's not as if they care about their image so yeah need to have a stick to whip them when/if they fail to secure data.

There is a personal data protection law in place but I'm not sure many people actually know about it yet.

I had a look at the law (here for an overview), it is supposed to be effective since May 2021.
The penalties are an administrative fine up to 5 millions bahts + a criminal fine up to 1 million and/or up to 1 year in jail.

Didn't see anything about compensating people though, but they referred to customers-initiated class actions so maybe there's something there.

Let's see how they enforce that...