The National Cybersecurity Agency (NCSA) has confirmed the personal data of 106 million international travellers to Thailand was exposed online last month, but was quickly secured by authorities, with no sale of the data on underground websites.
NCSA is also investigating the reported leakage of personal data from 15 million user records on e-commerce platform Shopee.
Gp Capt Amorn Chomchoey, acting secretary-general of NCSA, said Thai authorities were alerted to the leak of travellers' data from a white hacker detecting the unsecured database.
"After checking, there is no sale of the data via underground sites," Gp Capt Amorn said.
The case made headlines after Comparitech, a cybersecurity research firm, reported on Monday the data of 160 million travellers to Thailand, which includes full names, sex, passport numbers, arrival dates, visa types and residency status, was exposed online.
The database was indexed by search engine Censys on Aug 20 and discovered two days later by Bob Diachenko, who leads Comparitech's cybersecurity research. He immediately alerted Thai authorities. Thai authorities secured the database on Aug 23.
As the dates on the database span from 2011 to the present, Mr Diachenko said visitors to Thailand over the last decade might have had their information exposed.
According to Comparitech, Thai authorities responded quickly to the disclosure, but the firm had no indication of how long the data was exposed prior to being indexed.
In related news, a user on raidforums.com, a database sharing and marketplace forum, on Tuesday announced the sale of 15 million records involving emails, names, home addresses and phone numbers of people from e-commerce platform Shopee.
Gp Capt Amorn said his agency is working with Shopee's team to verify whether there was a data breach. Shopee said it was investigating the case. He said the Personal Data Protection Act, slated for enforcement in June 2022, would be useful because it authorises fines for those who leak personal data.
Paiboon Amonpinyokeat, a member of the National Cybersecurity Committee, said the traveller data case involves critical information infrastructure, requiring data owners to report to NCSA or face a fine of 200,000 baht.