True urged to com­pen­sate data-breach cus­tomers


The tele­com reg­u­la­tor has or­dered True Move H to as­sess the im­pact and pre­pare a com­pen­sa­tion of­fer to cus­tomers af­fected by the re­cent leak of per­sonal data.

The move came af­ter a meet­ing be­tween the Na­tional Broad­cast­ing and Telecom­mu­ni­ca­tion Com­mis­sion (NBTC)’s ex­ec­u­tive and the com­pany’s rep­re­sen­ta­tives.

This fol­lowed an alert sent to True in March from Niall Mer­ri­gan, a Nor­way­based cy­ber­se­cu­rity re­searcher, that he was able to ac­cess 32 gi­ga­bytes of 11,400 True cus­tomers’ data stored in iTrue­mart on Ama­zon Web Ser­vices (AWS), a type of cloud stor­age plat­form known as an S3 bucket.

The data i ncluded their ID cards and pass­ports.

NBTC sec­re­tary-gen­eral Takorn Tan­th­a­sit said af­ter the meet­ing that the NBTC has yet to de­cide whether to pun­ish True as it needs to con­duct a for­mal in­ves­ti­ga­tion into the in­ci­dent first.

Still, the NBTC has or­dered True to con­sider com­pen­sa­tion for af­fected cus­tomers and will is­sue a let­ter de­mand­ing mo­bile phone op­er­a­tors take ap­pro­pri­ate precautions to pre­vent sim­i­lar breaches in the fu­ture.

Pakpong Pat­tana­mas, deputy di­rec­tor for mo­bile busi­ness of True Cor­po­ra­tion, said True Move H is con­sid­er­ing tak­ing le­gal ac­tion against Mr Mer­ri­gan for in­ten­tion­ally hack­ing the data from the sys­tem.

“Mr Mer­ri­gan used three spe­cial tools to ac­cess data which he has no right to get into,” said Mr Pakpong.

iTrue­mart, cur­rently known as WeMall, is the on­line re­tail plat­form of the com­pany.

The per­sonal data kept by iTrue­mart is not read­ily ac­ces­si­ble to the gen­eral pub­lic, ex­cept ex­perts, said Mr Pakpong.

True Move H is as­sess­ing the dam­age caused by the in­ci­dent as it con­sults with its lawyers.

A source in cloud tech­nol­ogy said this case is not about IT se­cu­rity but care­less­ness by those in charge of True’s AWS S3 ser­vice.

The de­fault set­ting for the plat­form is “pri­vate”, which has raised the ques­tion why the com­pany had theirs set to “pub­lic” mode in­stead.

“It’s like you open the door and for­get to close it, noth­ing about spe­cial hack­ing tools,” said the source.

“The most im­por­tant is that True, or any user of the ser­vice, should en­crypt sen­si­tive data be­fore it is up­loaded to the cloud,” said the ex­pert.

In an­other de­vel­op­ment, the NBTC yes­ter­day called all tele­com op­er­a­tors to dis­cuss the wide­spread prob­lem of un­so­licited SMS con­tent.

Mr Takorn said that last year 772 peo­ple com­plained they re­ceived mes­sages con­tain­ing links to sub­scrip­tion ser­vices which, when clicked, led to them be­ing im­me­di­ately charged money, with a to­tal cost of 176,000 baht.

Mr Takorn said the NBTC has in­structed tele­com op­er­a­tors to con­tact any cus­tomers who may be un­know­ingly en­rolled in these sub­scrip­tions ad­vis­ing them they can dial *137 to can­cel. The op­er­a­tors have to start send­ing SMS to cus­tomers alert­ing them on April 24.

Newspapers in English

Newspapers from Thailand

© PressReader. All rights reserved.