The personal details of more than 106 million international travelers to Thailand were exposed on the web without a password, Comparitech researchers report. The database included full names, passport numbers, arrival dates, and more.
Bob Diachenko, who leads Comparitech's cybersecurity research, discovered the database on August 22, 2021 and immediately alerted the Thai authorities, who acknowledged the incident and secured the data the following day.
Diachenko surmises that any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident. He even confirmed the database contained his own name and entries to Thailand.
Timeline of the exposure
Dates on the records ranged from 2011 to present day. Here's what we know happened:
- August 20, 2021- The database was indexed by search engine Censys.
- August 22, 2021 – Diachenko discovered the unprotected data and immediately took steps to verify and alert the owner in accordance with our responsible disclosure policy.
- August 23, 2021 – Thai authorities were quick to acknowledg the incident and swiftly secured the data.
Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message, "This is honeypot, all access were logged." [sic]
Thai authorities responded quickly to Diachenko's disclosure, however we do not know how long the data was exposed prior to being indexed. Our honeypot experiments show attackers can find and access unsecured databases in a matter of hours.
Thai authorities maintain the data was not accessed by any unauthorised parties.
What data was exposed
- Date of arrival in Thailand
- Full name
- Sex
- Passport number
- Residency status
- Visa type
- Thai arrival card number
Dangers of exposed data
Related: Passports on the dark web: how much is yours worth?
Why we reported data incident
Comparitech's cybersecurity research team regularly scans the web for unprotected databases containing personal data. When we find such a database, we immediately begin an investigation to find out to whom it belongs, what information it contains, who could be affected, and the potential consequences for data subjects.
Once we identify and verify the owner of the data, we alert them according to our responsible disclosure policy. Once the data has been secured, we publish a report like this one to curb harm to end users and raise cybersecurity awareness.
Inga kommentarer:
Skicka en kommentar