3-week lapse for AIS data breach
‘Non-critical’ exposure for 8bn
Advanced Info Service (AIS), the top mobile operator by subscriber numbers, has insisted no personal information from customers was leaked during a scheduled test earlier this month — only non-critical information was exposed online as reported by foreign media.
The website techcrunch.com broke a story yesterday about AIS’s database of 8 billion internet records that was left open on the internet without a password earlier this month. The website indicated the database was later secured following an alert to Thai authorities.
“We can confirm a small amount of non-personal, non-critical information was exposed for a limited period in May during a scheduled test,” said Saichon Submakudom, head of public relations at AIS.
All of the data was related to internet usage patterns and did not contain personal information that could be used to identify any customer or cause them any harm, financially or otherwise, she said.
“We are pleased the incident was quickly contained and no customers were adversely impacted, financially or otherwise,” said Ms Saichon.
The company will continue reviewing its security procedures to ensure global best practices, she said.
“We acknowledge our procedures fell short, for which we sincerely apologise,” Ms Saichon said.
As the first incident of this kind, AIS will investigate the cause, she said.
A source at the National Broadcasting and Telecommunications Commission (NBTC) who requested anonymity said AIS executives will explain the incident to the regulator today.
The NBTC may order AIS to be more cautious in handling customer data to ensure there will be no mistake in the future, the source said.
The incident was disclosed by security researcher Justin Paine in a blog post. He shared the information with techcrunch.com.
He discovered the database, which contained DNS queries and Netflow data, on the internet without a password.
This makes it possible for any capable individual to “quickly paint a picture” about what an internet user does in real-time, said Mr Paine.
According to TechCrunch, DNS queries are a normal side effect of using the internet. When visiting a website, the browser converts a web address into an IP address, which tells the browser where the web page lives on the internet.
Although DNS queries do not carry private messages, emails, or sensitive
‘‘
I contacted a TechCrunch journalist for assistance, but we were unable to contact AIS starting from May 13. Then I alerted the Thailand Computer Emergency Response Team about the findings. ThaiCert then contacted AIS to have the database secured.
JUSTIN PAINE
Internet security researcher
data like passwords, they can identify which websites you access and which apps users log onto.
According to Mr Paine, the database was likely controlled by AIS subsidiary Advanced Wireless Network (AWN).
He said he tried to contact AIS to get the database secured without success.
Mr Paine said he then contacted a TechCrunch journalist for assistance, but both of them were unable to contact AIS. He started alerting AIS about the open database on May 13.
He then alerted Thailand Computer Emergency Response Team (ThaiCert) under the Digital Economy and Society Ministry about the findings. ThaiCert then contacted AIS to have the database secured.
“It is important to note that ThaiCERT contacted AIS about the exposed database, then the database was offline shortly after,” he wrote on his blog.
“It’s possible AIS promptly notified AWN, or they may have simply blocked access to the exposed database to quickly address the issue for their subsidiary company.”
Mr Paine indicated the database was first observed as exposed and publicly accessible on May 1, adding he discovered this database on May 7.
The database was exposed for around three weeks, he said. Around 8.3 billion documents were stored in the database as of May 21, when he alerted ThaiCert, said Mr Paine.
The data was found to be secured on May 22.