The personal data of around 46,000 TrueMove H users was leaked into Amazon Web Services' (AWS) cloud storage, leading the National Broadcasting and Telecommunications Commission (NBTC) to call in the company for questioning on Saturday.
The leaked data found by security researchers on the AWS' cloud storage, also known as the S3 bucket, included scanned images of users' ID cards, passports and drivers' licences.
Over 32GB of data was found stored in the bucket, amounting to 46,000 files that were listed by year.
TrueMove H was reportedly warned by security researchers about the lack of security on users' files, but took no action to prevent it.
When the Bangkok Post contacted TrueMove H, an operator representative simply said the company was taking the data breach seriously.
The Thailand Computer Emergency Response Team (ThaiCERT) has warned mobile phone users about the incident.
According to the ThaiCERT website, it is now working on new data verification measures.
"TrueMove H users should verify what data they have registered with the operator and may notify the police in the event that their data is breached and used for identify theft," said NBTC secretary-general Takorn Tantasith.
"If the data leak was intentionally done, TrueMove H must be penalised," he added.
"NBTC has contacted the company to clarify the case. The NBTC is taking the breach seriously as it has affected the personal data of consumers. The issue must be taken care of soon."
A legal expert said True could face a penalty for the data breach, while security experts called on telecom operators to start introducing smarter data protection laws.
No details were offered on how big the penalty may be.
A True representative acknowledged the problem and said the company is seeking to resolve it.
Bhume Bhumiratana, security expert and adviser to the Securities and Exchange Commission, said the data breach may have occurred due to usage mistakes in the cloud system.
Cases of cloud usage mistakes have been seen in several other countries with telecom operators like Verizon in the United States.
These are often attributed to a lack of data protection measures.
The problem has mostly arisen out of design mistakes due to a lack of risk assessment, or improper cloud usage.
Paiboon Amornpinyokiat, founder of P&P Law Firm, said the mobile operator may face a fine from NBTC as licence holders are obligated to protect consumer data privacy under Section 50 of the NBTC Act.
The hackers behind the data grab face penalties described in Sections 5 and 7 of the Computer Crime Act concerning the violation of data access.