The telecom regulator has handed an official warning letter to a subsidiary of Advanced Info Service (AIS), urging it to strictly ensure cybersecurity and data protection after the firm accidentally exposed its database of 8 billion internet records online without a password during a scheduled test earlier this month.
The move comes after Advanced Wireless Network Co (AWN), the operator of AIS's licensed mobile business, was summoned by the National Broadcasting and Telecommunications Commission (NBTC) on Tuesday to explain the incident.
Takorn Tantasith, secretary-general of the NBTC, said on Tuesday that his agency set up a panel on Monday to look into the event.
The panel resolved that no personal customer data was leaked during the scheduled test that could be used to identify any customers or cause financial harm.
According to the panel, the company should connect its system with the Thailand Computer Emergency Response Team (ThaiCert) and the Thailand Banking Computer Emergency Response team (TB-Cert) to ensure data security protection.
Meanwhile, executives from AWN turned up to explain the incident to the regulator.
Sutisak Tantayotin, deputy secretary general of the NBTC, said AWN told the commission that the exposed database was brought up for examination by the firm to study user behaviour to seek ways to improve service.
The company insisted that the database did not contain personal data of users or any electronic transactions by them, only involving website addresses reached by users.
"The mistake happened because staff thought that was the system testing, so they were careless," Mr Sutisak said.
He said the company promised to discipline staff and raise employees' awareness of cybersecurity.
AIS came under fire after the website techcrunch.com on Monday broke a story about the database of 8 billion internet records being left open on the internet without a password earlier this month.
Security researcher Justin Paine said the database was secured on May 22, one day after he notified ThaiCert about the findings.
The database was first observed as exposed and publicly assessable on May 1, he said.
He started to contact AIS about the open database on May 13, but attempts to contact the firm were unsuccessful. He said he then decided to alert ThaiCert, which subsequently contacted AIS to have the database secured.
AIS on Monday issued a statement saying only non-critical information was exposed online during its scheduled test this month -- not personal information from customers.
Meanwhile, the House committee on communications, telecommunications and digital economy and society said it would call in representatives of AIS, the NBTC, the Digital Economy and Society Ministry and relevant agencies to explain the incident.
"They will also be asked about their preparation for incidents that could happen in the future," said Col Settapong Malisuwan, the committee's vice-chairman.
He said the data leak demonstrates flaws in the security system, which could potentially affect the public.