Personal info at risk as TrueMove H customer data found in online folder

[rooster59]

Personal info at risk as TrueMove H customer data found in online folder

By The Sunday Nation 

 

 

THE National Broadcasting and Telecom Commission (NBTC) has sought an urgent meeting with executives of TrueMove H, one of the country’s three major mobile phone operators, to question a probable massive leak of customers’ personal data.

 

The likely leak, including individuals’ ID cards and passport numbers, was first reported by Blognone, an online technology news service, when Niall Merrigan, a cyber-security researcher, said he had found the data under the folder name of Truemoveh/idcard with unrestricted access on the cloud storage facility of Amazon Web Service.

 

The 32-gigabyte folder contained multiple years of personal data of TrueMove H’s customers in Thailand, including those from 2016 (14.5 gigabytes), 2017 (8.3 gigabytes) and 2018 (2.2 gigabytes).

 

The folder shows a large quantity of personal ID card data, including photos and 13-digit numbers that were apparently used when customers first signed up with TrueMove H. The passport details of foreign customers in Thailand was in the folder, too. Due to its unrestricted access on the cloud-based data storage facility, such a massive data could be abused by unscrupulous people, affecting a large number of people in Thailand.

TrueMove responded to Merrigan’s alert on the possible data leak on Tuesday and managed to restrict access to the folder which stored its customers’ private data.

 

Takorn Tantasith, secretary-general of NBTC, said TrueMove H must explain during the April 17 meeting with the regulatory agency what happened to its customers’ personal data. There was a risk that a large number of individuals’ private ID card data could have been compromised due to it being stored in an unsecured way, he said.

 

According to Takorn, violators of the data privacy and related laws are subject to punishment and the regulatory agency is empowered to revoke the licenses of mobile phone operators if they are found to be guilty of intentionally leaking personal data.

 

However, NBTC will hear from TrueMove H before making its decision on this issue. Takorn said the security of personal data was very important to NBTC, which had a duty to protect the public interest in relation to mobile phone services.

 

This latest incident was reported to have occurred some time ago and it took the Thai firm more than a month to respond to Merrigan’s alert, which was posted on social media in early March, according to Blognone.

 

TrueMove H said it was investigating the issue and its causes but the access to the folder containing customers’ personal data was no longer accessible to unauthorised people.

 

Source: http://www.nationmultimedia.com/detail/national/30343191

 

 

 

-- © Copyright The Nation 2018-04-15

 

[Samui Bodoh]

This is why Thailand 4.0 is not a serious thing.

 

Does anyone believe that the Thais have enough safeguards on personal data? I do not.

Does anyone believe that their data will be safe? I do not.

Does anyone believe that the Thai cyber-infrastructure is developed enough for Thailand 4.0? I do not.

 

Perhaps Thailand 1.0 or Thailand 2.0 might be a better step to begin with...

 

[KittenKong]

So, nearly as bad as Immigration using the reverse of old photocopies of personal documents as printing paper then?

Or my condo management using the top row of a PC keyboard as the password for the office email, and never changing it.

Thailand has no idea whatsoever about security.

[kotsak]

20 minutes ago, KittenKong said:

So, nearly as bad as Immigration using the reverse of old photocopies of personal documents as printing paper then?

Or my condo management using the top row of a PC keyboard as the password for the office email, and never changing it.

Thailand has no idea whatsoever about security.

Actually the root cause is the lack of sense of privacy.

[robblok]

They should get fined high, big companies should learn to protect data (and so should immigration). 

[shady86]

You can laugh at system here who always insists on original IDs and signed photocopies of them. I wonder why these data are uploaded to cloud where companies are supposed to keep the papers.

[Pib]

Personal data protection in Thailand is really a joke the way ID cards, passports, and other critical personal information is copied, stored, used, exchanged, protected, etc.  

 

The NBTC will beat their chest about this data breach, but when the dust settles True will end-up only paying a small fine.  The fine might even be a couple hundred thousand or even million baht, but that's peanuts to a big company like True....lot cheaper to pay a fine than to implement strong data protection.

 

The biggest hit True will take is in public trust, but I don't think the great majority of Thais really comprehend the possible identity theft ramifications because for their whole life the free exchange of personal information such as copying & storing of ID cards/passports by companies, employers, govt agencies, etc., has just been "that's just the way it is....what can I do...what's the worry...it's OK, right?"

[bluesofa]

54 minutes ago, Pib said:

Personal data protection in Thailand is really a joke the way ID cards, passports, and other critical personal information is copied, stored, used, exchanged, protected, etc.

 

Absolutely.

A year or so back there was an article about a couple of Thais who stole a million Baht out of the online account of another Thai who sold cars via facebook.

They got his personal details by claiming to be interested in buying one of the cars he was advertising, but told him they were worried he might take their money without delivering the goods, as they didn't know who he was.

He emailed them a copy of his ID card and house registration. Using that they managed to access his bank account and steal his money.

 

After reading that article, my wife now understands why any mail or paperwork with personal details we have is shredded before going into the bin.

It doesn't yet appear to have caught on with the criminally-minded here, but I know in the UK there have been reports of stealing householders rubbish, to go through it in order to commit identity theft.

 

[Anak Nakal]

Boycott company!

Change telephone. I don't trust the people.

[Brickbat]

Jumping ship? Are the others any better? And so many institutions take personal details. All tarred with the same brush. Absolutely right! No damn sense of privacy. Actually, it’s the inability to understand consequences. That mai pen Rai attitude.

[Chris Lawrence]

These guys and girls got hacked too. Which one is worse?

 

 

Personal information is just that. But what is our recall to these mistakes?

[cyberfarang]

I have online bank accounts both in the UK and in Thailand. Each time I login 1`m holding my breath that my accounts have not be cleaned out.

 

In theory all banks are meant to cover any accounts that have been hacked or accessed fraudulently,  but the burden lies on customers that need to prove, it was not them that withdrew the funds. The banks also say that monies will be refunded if taken by online theft providing proper security is installed on their computers or any other devices for receiving Internet. That includes antivirus software, but they fail to explain what they mean by security software and which anti virus software is acceptable to the banks. In other words customers may never be able to prove their case.

 

Don`t trust any of it, we are all vulnerable.