Personal data of 106 million international travellers to Thailand was found to have been exposed online in August before it was quickly secured by Thai authorities, according to Comparitech, a cybersecurity research firm.
The National Cybersecurity Agency (NCSA) confirmed the incident happened last month, and said it had not detected any attempts to sell the data on underground websites.
Comparitech indicated the database included full names, sex, passport numbers, arrival dates, visa types and residency status.
According to the research firm, the database was indexed by search engine Censys on Aug 20 and it was discovered two days later by Bob Diachenko, who leads Comparitech’s cybersecurity research, who immediately alerted Thai authorities.
Thai authorities secured the database on Aug 23.
As the dates on the database records run from 2011 to the present, Mr Diachenko said all those who travelled to Thailand over the last decade might have had their information exposed.
According to Comparitech, Thai authorities responded quickly to the disclosure, however “we do not know how long the data was exposed prior to being indexed”.
Grp Capt Amorn Chomchoey, acting secretary general of the NCSA, told the Bangkok Post the incident occurred last month. A white hacker informed authorities they should fix the issue.
“As we have checked, there is still no sale of data via underground webs,” Grp Capt Amorn said.
Meanwhile, a user on raidforums.com, a database sharing and marketplace forum, on Tuesday offered to sell 15 million records of data involving emails, names, home addresses and phone numbers of people from e-commerce platform Shopee.
Responding to the Shopee case, Grp Capt Amorn said his agency was working with Shopee team to verify whether there was a data breach.
He said the Personal Data Protection Act (PDPA), which will be fully enforced in June next year, was an instrumental tool in dealing with such violations. Fines could be levied on those who leak personal data.
Lawyer Paiboon Amonpinyokeat, a member of the National Cybersecurity Committee (NCSC), said the online exposure of travellers’ data involved critical information infrastructure and data owners must quickly report it to NCSA or face a fine of 200,000 baht.
Under the PDPA, victim organisations must have proof that they have sufficient security measures in place to guard against cyber threats, or face penalties, he said.