Thailand’s cybersecurity readiness has come under question, after reports that tourists’ personal details were recently exposed online, potentially hurting a much-needed recovery of the key sector.
The information of around 106 million visitors to Thailand was accessible to all on the internet, according to cybersecurity research firm Comparitech earlier this week. The database was discovered by Bob Diachenko, one of the company’s researchers on August 22. Thai authorities removed the data the next day, after being alerted by Diachenko.
The 200-gigabyte database contained each visitor’s full name, sex, passport number, residency status, visa type, Thai arrival card number, and date of arrival in Thailand. Dates on the records ranged from 2011 to this year.
“We do not know how long the data was exposed prior to being indexed,” Comparitech said. The National Cybersecurity Agency of Thailand confirmed the breach, but said it had not found any attempts to sell the data on the internet.
The breach comes at a particularly awkward time for Thailand when it is aiming to gradually reopen to visitors who are vaccinated against COVID-19. Phuket, an island in the south, is its so-called sandbox experiment, having welcomed 35,068 tourists since it fully opened its doors to vaccinated visitors in July.
The government now wants to open five more provinces including Bangkok from October to vaccinated tourists. But that plan hangs in the balance, as the vaccination program in Bangkok and those provinces is not expanding at the rate the government had hoped to make viable any reopening.
Reviving tourism is vital to the recovery of Southeast Asia’s second largest economy, as the sector and related businesses accounted for 20% of Thailand’s gross domestic product before the pandemic hit. Tourists might now be put off by Thailand’s poor cybersecurity.
In large part, the data breach can be blamed on the delayed implementation of the personal data protection act. That act was approved by the former junta government in February 2019 and was scheduled to come into full force in May 2020, but was twice postponed to give organizations time and financial room to ramp up efforts. It is now expected to be enacted on June 1, 2022.
Had the law been brought in as initially planned, both the public and private sectors would have upped their game in cybersecurity. Under the act, breaches must promptly be reported to the National Cybersecurity Agency, or parties face fines of THB 200,000 (USD 5,960). Organizations that have been hacked must show proof of proper defenses against cyberattacks, or face penalties under the law.
The urgency of implementation has been brought to the fore by recent cyberattacks on companies. CP Freshmart, a retail business arm of Charoen Pokphand Foods, said on September 7 that the system containing user information was hacked. Around 594,585 items, including passwords, full names, mobile phone numbers, emails, and addresses, were put up for sale on a black market for data.
The company insisted that no credit card and financial information was stolen. Charoen Pokphand Group is Thailand’s largest conglomerate.
Regional airline Bangkok Airways was another recent victim. It sent out an email to some customers on August 28, informing them that passenger names, nationalities, phone numbers, emails, addresses, passport details, historical travel, and some credit card information had been stolen.
Indonesia has also recently suffered similar embarrassments. In early September, Indonesian President Joko Widodo’s COVID-19 vaccine certificate was leaked online, including his national identity number, the type of vaccine he received, and the time at which he received it. The data was accessible on the Pedulilindungi app, the government’s official vaccine monitoring app.
The government sought to play down concerns over data protection on that app by saying that the president’s national identity number was available on the general elections commission website anyway, while his date of vaccination was already widely reported on.
“The government urges the public to remain calm and not be provoked by inappropriate information related to the PeduliLindungi system,” it said.
The leak came just days after encryption provider vpnMentor said it discovered a breach in the Indonesian government’s test-and-trace app for people entering Indonesia. “The app developers failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server,” the company said. Leaked data included passenger ID and COVID-19 test results.
“Our team discovered [the app’s] records with zero obstacles,” it said.