The unsecured database containing international travel records was left exposed on the web without a password, researchers from Comparitech confirmed. Dates on the records ranged from 2011 to the present day.
Personal information of travellers included date of arrival in Thailand, full name, sex, passport number, residency status, visa type and Thai arrival card number.
Bob Diachenko, who leads Comparitech’s cybersecurity research, discovered the database on Aug 22, 2021 and immediately alerted the Thai authorities, who acknowledged the incident and secured the data the following day.
Diachenko surmises that any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident. He even confirmed the database contained his own name and entries to Thailand.
The database was indexed by search engine Censys on Aug 20 with Diachenko discovering the unprotected data two days later. He immediately took steps to verify and alert the owner in accordance with the company’s responsible disclosure policy. Thai authorities acknowledged the incident on Aug 23 and swiftly secured the data in due course.
Notably, the IP address of the database is still public but, at time of press, the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message, “This is honeypot, all access were logged.” [sic]
Thai authorities responded quickly to Diachenko’s disclosure and maintain the data was not accessed by any unauthorised parties. However it is unknown how long the data was exposed prior to being indexed. ‘Honeypot experiments’ conducted by Comparitech show attackers can find and access unsecured databases in a matter of hours.
“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database,” said Comparitech’s tech writer Paul Bischoff. “There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues.”
None of the information exposed poses a direct financial threat to the majority of data subjects as no financial or contact information was included, said Bischoff.
“Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own,” he said.