Thailand: Data leak left thousands of TrueMove H mobile users exposed
THAILAND’S second-biggest mobile operator has become the subject of scrutiny this week following a data leak that affected thousands of users.
The leak affected at least 11,400 customers of “TrueMove H” mobile packages, Reuters reported, but local media outlets placed the number much higher at 46,000.
The National Broadcasting and Telecom Commission (NBTC) on Saturday sought an urgent meeting with executives of TrueMove H to question the massive leak of customers’ personal data, according to The Nation.
The leak was first reported by Blognone, an online technology news service, which said individuals’ ID cards and passport numbers were compromised.
Niall Merrigan, a cyber-security researcher, claimed to have uncovered the data from a folder with unrestricted access on the cloud storage facility of Amazon Web Service.
The researcher said he was able to access 32 gigabytes of True’s customer data, including identification cards, and that he notified True in March about the security breach.
“There was no security at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details,” Merrigan wrote in his blog.
On Tuesday, the mobile service’s parent company True Corp defended its security measures saying the data had been “hacked” by an expert. The incident is possibly the first known instance of a major data leak at a mobile operator in Thailand.
True Corp is the flagship company of billionaire Dhanin Chearavanont’s Charoen Pokphand Group.
Earlier, True said stored copies of national identification cards belonging to 11,400 customers who bought the TrueMove H mobile packages via True’s e-commerce platform iTruemart, run by True’s digital arm Ascend Commerce, had been made public.
True said the leak was fixed on April 12.
Seubsakol Sakolsatayadorn, Ascend Commerce’s managing director, said the data was private and that customers’ information was hacked by Merrigan.
“In this case the expert did not have the right to access this and he used special tools,” Seubsakol told reporters at a news conference.
According to Pakpong Pattanamas, a deputy director for True’s mobile business, True has “a good security system”.
True is working to prevent “this sort of incident” from happening again, said Pakpong.
“TrueMove H will send out an SMS to the 11,400 affected customers and inform them about the security measures that we have taken so far,” Pakpong said.
The National Broadcasting and Telecommunications Commission (NBTC) said it would ask Thailand’s five main mobile operators to clearly outline their data protection measures.
The NBTC is looking to build its own data centre to store customers’ information, Takorn Tantasith, secretary-general of the country’s telecoms regulator, told reporters.
“The NBTC thinks that data storage should be done by a government agency,” he said.
“If a state agency is responsible then the public will have more confidence. This is part of our long-term plan,” he added.