Security

From Bangkok to Phuket, they cry out: Oh, Bucket! Thai mobile operator spills 46k people's data

S3 spillage spoils included driving licences and passports


TrueMove H, the biggest 4G mobile operator in Thailand, has suffered a data breach.

Personal data collected by the operator leaked into an Amazon Web Services S3 cloud storage bucket. The leaked data, which includes images of identity documents was accessible to world+dog before the mobile operator finally acted to restrict access to the confidential files yesterday, 12 April.

The issue was uncovered by security researcher Niall Merrigan, who told us he had tried to disclose the problem to TrueMove H, but said the mobile operator had been slow to respond.

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

READ MORE

The researcher told El Reg that he’d uncovered around 46K records that collectively weighed in at around 32GB. Merrigan attempted to raise the issue with TrueMove H, but initially made little headway beyond an acknowledgement of his communication.

Representatives of the telco initially told him to ring its head office when he asked for the contact details of a security response staffer before telling him his concerns had been passed on some two weeks later, after El Reg began asking questions on the back of Merrigan’s findings.

In the meantime, other security researchers have validated his concerns.

“There were lots of driving licences and I think I saw a passport,” said security researcher Scott Helme. “I guess they have to send ID for something and the company is storing the photos in this bucket, which can be viewed by the public.”

El Reg approached TrueMove H about the incident. The mobile operator responded last month with a holding statement stating that it was investigating the matter and we hung fire on opublication until the data was no longer public facing.

Please kindly be informed that this matter has been informed to a related team for investigation. If they have any queries or require any further information from you, they will contact [you] later.

Merrigan said the exposed data was still available up until yesterday, when it was finally made private, allowing the security researcher to go public with his findings. A blog post by Merrigan that explains the breach - and featuring redacted screenshots of the leaked identity documents - can be found here. ®

Send us news
8 Comments

Garlic chicken without garlic? Critics think Amazon recipe book was cooked up by AI

Twitter tipster points to suspicious signs from author producing thousands of recipes

Record breach of French government exposes up to 43 million people's data

Zut alors! Department for registering and helping unemployed people broken into

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

Serial extortionist of medical facilities pleads guilty to cybercrime charges

Robert Purbeck even went as far as threatening a dentist with the sale of his child’s data

Stanford University failed to detect ransomware intruders for 4 months

27,000 individuals had data stolen, which for some included names and social security numbers

Nissan to let 100,000 Aussies and Kiwis know their data was stolen in cyberattack

Akira ransomware crooks brag of swiping thousands of ID documents during break-in

Swiss cheese security? Play ransomware gang milks government of 65,000 files

Classified docs, readable passwords, and thousands of personal information nabbed in Xplain breach

Amazon bends to Euro watchdogs, waives egress fees for folks ditching AWS

Now the pressure is on for Microsoft to stop holding user data hostage

Amazon goes nuclear, acquires Cumulus Data's atomic datacenters for $650M

E-commerce giant on the hook for 480MW of power from Susquehanna plant

Japan orders local giants LINE and NAVER to disentangle their tech stacks

Government mighty displeased about a shared Active Directory that led to a big data leak

US accuses Army vet cyber-Casanova of sharing Russia-Ukraine war secrets

Where better to expose confidential data than on a dating app?