THE National Broadcasting and Telecom Commission (NBTC) has sought an urgent meeting with executives of TrueMove H, one of the country’s three major mobile phone operators, to question a probable massive leak of customers’ personal data.
The likely leak, including individuals’ ID cards and passport numbers, was first reported by Blognone, an online technology news service, when Niall Merrigan, a cyber-security researcher, said he had found the data under the folder name of Truemoveh/idcard with unrestricted access on the cloud storage facility of Amazon Web Service.
The 32-gigabyte folder contained multiple years of personal data of TrueMove H’s customers in Thailand, including those from 2016 (14.5 gigabytes), 2017 (8.3 gigabytes) and 2018 (2.2 gigabytes).
The folder shows a large quantity of personal ID card data, including photos and 13-digit numbers that were apparently used when customers first signed up with TrueMove H. The passport details of foreign customers in Thailand was in the folder, too. Due to its unrestricted access on the cloud-based data storage facility, such a massive data could be abused by unscrupulous people, affecting a large number of people in Thailand.
TrueMove responded to Merrigan’s alert on the possible data leak on Tuesday and managed to restrict access to the folder which stored its customers’ private data.
Takorn Tantasith, secretary-general of NBTC, said TrueMove H must explain during the April 17 meeting with the regulatory agency what happened to its customers’ personal data. There was a risk that a large number of individuals’ private ID card data could have been compromised due to it being stored in an unsecured way, he said.
According to Takorn, violators of the data privacy and related laws are subject to punishment and the regulatory agency is empowered to revoke the licenses of mobile phone operators if they are found to be guilty of intentionally leaking personal data.
However, NBTC will hear from TrueMove H before making its decision on this issue. Takorn said the security of personal data was very important to NBTC, which had a duty to protect the public interest in relation to mobile phone services.
This latest incident was reported to have occurred some time ago and it took the Thai firm more than a month to respond to Merrigan’s alert, which was posted on social media in early March, according to Blognone.
TrueMove H said it was investigating the issue and its causes but the access to the folder containing customers’ personal data was no longer accessible to unauthorised people.
Republished with permission from The Nation