Thailand's large mobile network has taken down one of its databases following an alleged data breach.
The leaky database was thought to be revealing the internet records of millions of Thai citizens online in real time, with around 8.3 billion records thought to be compromised.
The breach was uncovered on May 7 by security researcher Justin Paine, who discovered an open ElasticSearch database online which appeared to be controlled by AWN, a subsidiary of Thailand’s largest GSM mobile phone operator, Advanced Info Service (AIS). The database contained DNS queries and Netflow data, using which it would be all too easy to map a user’s internet activity.
- Home Chef hacked, eight million users have data breached
- Slickwraps hit by customer data breach
- What data breaches teach us about security procedures
Paine reported the open database to AIS , but after a week passed with no response, he alerted ThaiCERT, Thailand’s national computer emergency response team, which in turn contacted AIS. By May 22, the database was inaccessible.
Paine told TechCrunch that the kind of records present in the database can only come from an entity that can monitor internet traffic as it flows across the network. However, it is difficult to ascertain whether the database belongs to the internet provider or one of its subsidiaries, or to an enterprise customer on AIS’s network.
Thai data breach
The affected ElasticSearch database is now secure, but billions of internet usage records of the Thai public were publicly accessible from around May 1, six days before Paine discovered it, and 21 days before the database was secured again.
As of May 21, 8,336,189,132 documents were stored in the database, amounting to over 4TB of internet usage data.
AIS confirmed it owned the data in a statement apologising for the breach.
“We can confirm that a small amount of non-personal, non-critical information was exposed for a limited period in May during a scheduled test,” AIS spokesperson Sudaporn Watcharanisakorn said.
“All of the data related to Internet usage patterns and did not contain personal information that could be used to identify any customer. On this occasion we acknowledge that our procedures fell short, for which we sincerely apologise.”
While DNS queries do not carry private or sensitive data like passwords or messages, they can identify the user’s websites or apps. Exposing this data can pose a serious security risk to individuals in high-risk professions, such as journalists, politicians and police workers.
Thailand, which has some of the strictest censorship laws in Asia, has also passed internet laws granting authorities wide-ranging access to the internet data of its citizens.
- Keep your online privacy secure with the best VPN services of 2020