Truemove H, the second-largest telco operator in Thailand, experienced a data leak over the weekend that resulted in sensitive materials of customers — such as passport and national ID card information — to become public.
The leak was discovered by an Irish researcher named Niall Merrigan who lives in Norway. On his personal blog, he detailed his discovery and the response to the issue provided by True.
About 46,000 accounts were discovered on Amazon Web Services’ cloud storage system named the S3 Bucket. The scary part of this particular leak is that all it required was the correct URL and really anybody could download full scans of people’s ID cards or passports.
According to Merrigan, he informed True about the leak back in March and the blog post makes it seem as if the company did not move until an imminent article was to be published in The Register.
The data appears to have remained accessible to the public for over one month after the leak was initially reported to when the information was finally removed.
“I checked again on Thursday 12-April 10:00 to verify if the files were available still and they were. At 19:00 they had finally been made private,” Merrigan wrote.
According to the Bangkok Post, the leak was considered of such a serious nature that the government regulatory body, the National Broadcasting and Telecommunications Commission (NBTC), called in representatives from True for questioning over the weekend.
Last weekend was the Songkran New Year’s festival that is widely celebrated across the Mekong region.
Technically, the NBTC does have the authority to revoke a telco license if it is deemed that the company is leaking sensitive information on purpose.
True will reportedly be called in for further questioning on Tuesday before any actions are taken.