Personal data of 106 million international travellers to Thailand was found to have been exposed online in August before it was quickly secured by Thai authorities, according to Comparitech, a cybersecurity research firm.
The National Cybersecurity Agency (NCSA) confirmed the incident happened last month, and said it had not detected any attempts to sell the data on underground websites.
Comparitech indicated the database included full names, sex, passport numbers, arrival dates, visa types and residency status.
According to the research firm, the database was indexed by search engine Censys on Aug 20 and it was discovered two days later by Bob Diachenko, who leads Comparitech’s cybersecurity research, who immediately alerted Thai authorities.
Thai authorities secured the database on Aug 23.
As the dates on the database records run from 2011 to the present, Mr Diachenko said all those who travelled to Thailand over the last decade might have had their information exposed.
According to Comparitech, Thai authorities responded quickly to the disclosure, however “we do not know how long the data was exposed prior to being indexed".
Grp Capt Amorn Chomchoey, acting secretary general of the NCSA, told the Bangkok Post the incident occurred last month. A white hacker informed authorities they should fix the issue.
“As we have checked, there is still no sale of data via underground webs,” Grp Capt Amorn said.
Meanwhile, a user on raidforums.com, a database sharing and marketplace forum, on Tuesday offered to sell 15 million records of data involving emails, names, home addresses and phone numbers of people from e-commerce platform Shopee.
Responding to the Shopee case, Grp Capt Amorn said his agency was working with Shopee team to verify whether there was a data breach.
Shopee later stated it takes data protection very seriously. "Our finding indicates that the data in question is unrelated to any Shopee database," its statement read.
He said the Personal Data Protection Act (PDPA), which will be fully enforced in June next year, was an instrumental tool in dealing with such violations. Fines could be levied on those who leak personal data.
Lawyer Paiboon Amonpinyokeat, a member of the National Cybersecurity Committee (NCSC), said the online exposure of travellers' data involved critical information infrastructure and data owners must quickly report it to NCSA or face a fine of 200,000 baht.
Under the PDPA, victim organisations must have proof that they have sufficient security measures in place to guard against cyber threats, or face penalties, he said.
NCSC member Prinya Hom-anek said the government or agencies dealing with the travellers’ data which was exposed must quickly clarify the issue, to protect Thailand’s reputation and give tourists confidence.
Organisations should conduct penetration testing of their computer systems to find any vulnerabilities or if any system backdoors had been secretly left by hackers.
He said once the PDPA comes into force, it was likely that cybercriminals would intensify ransomware attacks. They knew that many organisations may choose to pay a ransom for the return of information rather than face penalties under the law.
The public must also do a better job of protecting their personal information, such as using two-factor authentication.
Tourism Authority of Thailand governor Yuthasak Supasorn said tourists needed to be reassured there will be no repeat of this in the future. The leaking of personal information had a big effect on tourist confidence.
He said tourists may think twice before visiting Thailand, particularly business travellers, if there were perceived threats to their personal security.
Tour operators, hotels and airlines must also work together to assess risks from this exposure of information, and scale up preventive measures as soon as possible, he said.