Thailand is one of the popular tourist destinations with a large number of visitors from across the world. While the country is looking forward to welcoming tourists post-pandemic, a recent data breach incident has left a bitter experience among millions of travelers who visited Thailand in the last 10 years.
Bob Diachenko, cybersecurity researcher and security leader at Camparitech, discovered an unprotected Elasticsearch server exposing the personal data of over 106 million international travelers to Thailand. The unsecured database, which included tourists’ sensitive information such as full names, passport numbers, and arrival dates, was exposed online, allowing anyone to access the data. Diachenko also confirmed that the leaky server exposed his own name and entries to Thailand. However, the database has now been secured after he reported the issue to the Thai authorities.
Diachenko claimed that any tourist who traveled to Thailand in the last 10 years might have had their personal data exposed in the incident.
What was exposed in the breach
The database hosted over 200GB of users’ data (more than 106 million records). The exposed information included:
- Date of arrival in Thailand
- Full name
- Sex
- Passport number
- Residency status
- Visa type
- Thai arrival card number
The Breach Impact
The Thai authorities stated that there is no sign of any misuse of the leaked data. While no financial data was leaked in the incident, the other exposed information could lead to various security risks if threat actors access it.
“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own,” Diachenko stated.
Unsecure Databases Attract Threat Actors
Threat actors are always on the hunt for unsecured servers. In this case, there is no evidence of how long the database was left exposed before Diachenko’s disclosure. However, a honeypot was planted to monitor hacker intrusions.
“Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added.
A honeypot is a security mechanism used to detect or counteract unauthorized intrusions of network and information systems. Earlier, a honeypot experiment from Camparitech found that attackers find and access unprotected databases in hours. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. Comparitech left the exposed data from May 11 until May 22, 2020. It found 175 attacks in just eight hours after the server deployed, with the number of attacks in one day totaled 22.