A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a Brit biz claimed this week.
Bob Diachenko, head of cybersecurity research at product-comparison website Comparitech, said the Elasticsearch data store contained visitors’ full names, passport numbers, arrival dates, visa types, residency status, and more. It was indexed by search engine Censys on August 20, and spotted by Diachenko two days later. There were no credentials in the database, which is said to have held records dating back a decade.
“There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues,” wrote Comparitech editor Paul Bischoff on the company’s blog.
Diachenko said he alerted the operator of the database, which led to the Thai authorities finding out about it, who “were quick to acknowledge the incident and swiftly secured the data,” Comparitech reported. We’re told that the IP address of the exposed database, hidden from sight a day after Diachenko raised the alarm, is still live, though connecting to it reports that the box is now a honeypot.
It’s claimed the Thai authorities said the data was not illegally accessed by anyone. That said, the leak includes a whole lot of people given Thailand’s popularity as a tourist destination prior to the COVID-19 pandemic.
Thailand bans joke cryptocurrencies and non-fungible tokens
According to data from The World Bank, Thailand racked up almost 40 million international arrivals in 2019, a number that was on the rise every year pre-pandemic except for 2014, the year the country experienced a military coup.
“Any foreigner who travelled to Thailand in the last decade or so probably has a record in the database,” wrote Bischoff.
We’ve contacted the Thai embassy in the US for further comment. Diachenko told The Register a “server misconfiguration” by an IT outsourcer caused the database to be exposed to the whole world.
Thailand is largely shut to tourists, with a few exceptions like a restricted Phuket experience serving as a pilot reopening program. The country, whose economy relies on a hefty influx of travelers, plans to welcome vaccinated visitor to five more destinations in October that are Bangkok, Phetchaburi, Prachuap Khiri Khan, Chonburi and Chiang Mai. More provinces are expected to follow.
As for the leak, Comparitech said none of the information exposed poses a direct financial threat to the majority of those listed as no bank details or contact information was included, for instance.
Additionally, it’s possible that if you’ve traveled to Thailand and stayed there during the pandemic, you’ve already been leaked. A government website used to sign foreigners up for COVID-19 vaccines spilled names and passport numbers in June.
Additionally, last month, Bangkok Airways was hit by ransomware group LockBit resulting in the publishing of passenger data. And in 2018, TrueMove H, the biggest 4G mobile operator in Thailand, suffered a database breach of around 46,000 records.
Comparitech said the database it found contained several assets, in addition to the 106 million records, making the total leaked information come to around 200 GB. ®