Data of TrueMove H users leaked online

Data of TrueMove H users leaked online

The personal data of around 46,000 TrueMove H users was leaked into Amazon Web Services' cloud storage, leading the National Broadcasting and Telecommunications Commission to call in the company for questioning. (Photo by Narupon Hinshiranan)
The personal data of around 46,000 TrueMove H users was leaked into Amazon Web Services' cloud storage, leading the National Broadcasting and Telecommunications Commission to call in the company for questioning. (Photo by Narupon Hinshiranan)

The personal data of around 46,000 TrueMove H users was leaked into Amazon Web Services' (AWS) cloud storage, leading the National Broadcasting and Telecommunications Commission (NBTC) to call in the company for questioning on Saturday.

The leaked data found by security researchers on the AWS' cloud storage, also known as the S3 bucket, included scanned images of users' ID cards, passports and drivers' licences.

Over 32GB of data was found stored in the bucket, amounting to 46,000 files that were listed by year.

TrueMove H was reportedly warned by security researchers about the lack of security on users' files, but took no action to prevent it.

When the Bangkok Post contacted TrueMove H, an operator representative simply said the company was taking the data breach seriously.

The Thailand Computer Emergency Response Team (ThaiCERT) has warned mobile phone users about the incident.

According to the ThaiCERT website, it is now working on new data verification measures.

"TrueMove H users should verify what data they have registered with the operator and may notify the police in the event that their data is breached and used for identify theft," said NBTC secretary-general Takorn Tantasith.

"If the data leak was intentionally done, TrueMove H must be penalised," he added.

"NBTC has contacted the company to clarify the case. The NBTC is taking the breach seriously as it has affected the personal data of consumers. The issue must be taken care of soon."

A legal expert said True could face a penalty for the data breach, while security experts called on telecom operators to start introducing smarter data protection laws.

No details were offered on how big the penalty may be.

A True representative acknowledged the problem and said the company is seeking to resolve it.

Bhume Bhumiratana, security expert and adviser to the Securities and Exchange Commission, said the data breach may have occurred due to usage mistakes in the cloud system.

Cases of cloud usage mistakes have been seen in several other countries with telecom operators like Verizon in the United States.

These are often attributed to a lack of data protection measures.

The problem has mostly arisen out of design mistakes due to a lack of risk assessment, or improper cloud usage.

Paiboon Amornpinyokiat, founder of P&P Law Firm, said the mobile operator may face a fine from NBTC as licence holders are obligated to protect consumer data privacy under Section 50 of the NBTC Act.

The hackers behind the data grab face penalties described in Sections 5 and 7 of the Computer Crime Act concerning the violation of data access.


Do you like the content of this article?
COMMENT (24)

Phuket eases restrictions

The provincial communicable disease committee in Phuket has agreed to lift the mandatory 14-day quarantine period for people arriving from Bangkok and Samut Prakan.

07:00

Decline in cases sparks optimism

The eastern provinces, which are currently under the maximum level of Covid-19 control, may soon see the restrictions lifted after a steady decline in new infections, says Deputy Public Health Minister Sathit Pitutecha.

05:00

Health workers on the frontline first in queue for vaccination

The first 50,000 doses of Covid-19 vaccine expected to arrive in Thailand early next month will be administered to frontline healthcare workers in Samut Sakhon, Mae Sot district of Tak and in the southern border provinces, a communicable diseases expert revealed on Saturday.

04:00