A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a British company said this week.
Bob Diachenko, head of cybersecurity research at the Comparitech product comparison website, said the Elasticsearch data store contains visitors’ full names, passport numbers, arrival dates, visa types, residence status, etc. It was indexed by the Censys search engine on August 20 and spotted by Diachenko two days later. There was no identifying information in the database, which is said to have held records dating back a decade.
“There are a lot of people who would prefer their travel history and residency status not made public, so for them there are obvious privacy concerns,” wrote Paul Bischoff, editor of Comparitech, on the company’s blog.
Diachenko said he alerted the database operator, which allowed Thai authorities to find out, who “quickly recognized the incident and quickly secured the data,” Comparitech reported. We are told that the exposed database IP address, hidden from view a day after Diachenko sounded the alarm, is still live, although the connection to it indicates that the box is now a honey pot.
It is claimed that Thai authorities said the data was not illegally viewed by anyone. That said, the leak affects a large number of people given Thailand’s popularity as a tourist destination before the COVID-19 pandemic.
Thailand bans cryptocurrencies and non-fungible tokens
According to World Bank data, Thailand recorded nearly 40 million international arrivals in 2019, a number that was increasing every year before the pandemic except for 2014, the year the country experienced a military coup.
“Any foreigner who has traveled to Thailand in the past decade probably has a record in the database,” Bischoff wrote.
We have contacted the Thai Embassy in the United States for further comment. Diachenko said The register a “misconfiguration of the server” by an IT subcontractor caused the database to be exposed to the whole world.
Thailand is largely closed to tourists, with a few exceptions like a limited experience in Phuket serving as a pilot reopening program. The country, whose economy relies on a large influx of travelers, plans to welcome vaccinated visitors to five other destinations in October, namely Bangkok, Phetchaburi, Prachuap Khiri Khan, Chonburi and Chiang Mai. Other provinces are expected to follow.
Regarding the leak, Comparitech said none of the information on display posed a direct financial threat to the majority of those listed, as no bank details or contact information was included, for example.
Additionally, it is possible that if you have traveled to Thailand and stayed there during the pandemic, you may have already been disclosed. A government website used to enroll foreigners for COVID-19 vaccines spilled names and passport numbers in June.
Additionally, last month Bangkok Airways was hit by the LockBit ransomware group, resulting in the release of passenger data. And in 2018, Thailand’s largest 4G mobile operator, TrueMove H, suffered a database breach of around 46,000 records.
Comparitech said the database found contained several assets, in addition to the 106 million records, bringing the total leaked information to around 200 GB. ®