author photo
By Devon Warren-Kachelein
Wed | Sep 22, 2021 | 4:15 AM PDT

Vacationing is a time to relax, unwind, and get away from the demands and worries of daily life.

Turn off the devices, disconnect from business, and let the network monitoring fall to your colleagues.

With a scenic and private getaway destination like Thailand, what could possibly go wrong? Perhaps, the trip wasn't as private as you thought. 

Bob Diachenko, an Elasticsearch database expert and Comparitech's cybersecurity research lead, discovered an unsecured database with the information of more than 106 million people who have traveled to Thailand.

Data compiled went back to 2011. Creepily enough, Diachenko identified his own name in the data.

"Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues," an official blog post by Comparitech writer Paul Bischoff reads.

The information included in the database were full names, passport numbers, arrival dates, gender, visa type, residency status, and the Thai arrival card number.

Fans of the Netflix docudrama "The Serpent," which told the story of Asian serial killer Charles Sobhraj, might infer that passport theft can lead down dark pathways.

At least, no financial information was apparently exposed.

Here is the timeline of the exposure, according to the research blog:

• August 20, 2021 – "The database was indexed by search engine Censys."
• August 22, 2021 – "Diachenko discovered the unprotected data and immediately took steps to verify and alert the owner in accordance with our responsible disclosure policy."
• August 23, 2021 – "Thai authorities were quick to acknowledge the incident and swiftly secured the data."

Authorities in Thailand claim that none of the data had been accessed by unauthorized parties, however, they continue to investigate.

Researcher Diachenko, on the other hand, believes the data could have been accessed quickly by attackers—within a matter of hours.

As of now, the data has been indexed and the IP address was replaced with a honeypot, but will any repercussions come from this exposed data?

And which type of exposed database will we learn about next? We're not sure, but based on misconfigurations alone, it probably won't be very long.

[RESOURCE] Concerned about data protection at your organization? SecureWorld's upcoming conferences provide you with access to expert advice from top professionals in the industry. 

Comments