Personal details of 106 million international travelers to Thailand exposed. (Photo by Lillian SUWANRUMPHA / AFP)
Personal details of 106 million international travelers to Thailand exposed
- International travelers who traveled to Thailand in the last decade might have had their information exposed in the incident.
- The database totaled about 200GB and contained details such as date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number.
Personal data of more than 106 million international travelers who had visited Thailand in the last decade have been found exposed online last month by a Britain-based consumer security firm Comparitech. Thai authorities were informed immediately, on August 22, and claimed to have secured the data the following day.
Comparitech said in a report that its head of cybersecurity research, Bob Diachenko, found a database in August containing the personal information of travelers to the kingdom. He said “any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident”, including their name, passport number, and residency status.
In fact, Comparitech said Diachenko also found his own name and details about his entries into Thailand on the database, which contained information dating back to 2011. “However we do not know how long the data was exposed prior to being indexed,” said the report.
Thai authorities “maintain the data was not accessed by any unauthorized parties”, it added. Thailand’s Cyber Crime Investigation Bureau said it was unaware of the incident but was looking into it.
Timeline and the type of data exposed
Dates on the records ranged from 2011 to the present day. The exposure started on August 20, 2021, when the database was indexed by search engine Censys. Then by August 22, Diachenko discovered the unprotected data and immediately took steps to verify and alert the owner in accordance with our responsible disclosure policy.
A redacted sample of the exposed database. Source: Comparitech
Within 24 hours, on August 23, Thai authorities acknowledged the incident and swiftly secured the data. Notably, the report claims the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message, “This is a honeypot, all access was logged and our honeypot experiments show attackers can find and access unsecured databases in a matter of hours.”
The reports said the Elasticsearch database totaled about 200GB and contained several assets, including a collection of more than 106 million records, each of which included, date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number. “None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included,” the report stated.
To be frank, the Thai government is no stranger to data leaks and information breaches. Back in June this year, a government website for foreigners to sign up for the Covid-19 vaccine was found to be revealing the names and passport numbers of prospective recipients. The site was taken down soon after.
Dashveenjit Kaur
| 
@DashveenjitK
Dashveen writes for Tech Wire Asia and TechHQ, providing research-based commentary on the exciting world of technology in business. Previously, she reported on the ground of Malaysia's fast-paced political arena and stock market.
READ MORE
- Strategies for Democratizing GenAI
- The criticality of endpoint management in cybersecurity and operations
- Ethical AI: The renewed importance of safeguarding data and customer privacy in Generative AI applications
- How Japan balances AI-driven opportunities with cybersecurity needs
- Deploying SASE: Benchmarking your approach