After uncovering an unsecured database collecting the personal information of millions of tourists to Thailand, a British cybersecurity researcher unexpectedly stumbled upon his own personal data online. An unencrypted Elasticsearch server was discovered by Bob Diachenko, a cybersecurity researcher and security leader at Camparitech, exposing the personal data of approximately 106 million international passengers to Thailand. The data was accessible online in an unsecured database, allowing anyone to access it.
Threat actors are constantly on the lookout for unprotected servers. There is no proof of how long the database was exposed before Diachenko’s disclosure in this case. A honeypot, on the other hand, was set up to monitor hacker intrusions.
“Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added.
A honeypot is a security tool that detects or prevents unauthorized network and information system breaches. The organization set up a honeypot to see how quickly hackers would attack an Elasticsearch server using a dummy database and fake data. From May 11 until May 22, 2020, Comparitech left the data exposed. It discovered 175 attacks in just eight hours after the service went live, with a total of 22 attacks in a single day.
After he reported the problem to Thai authorities, the database was safeguarded. According to Diachenko, every visitor who visited Thailand in the last ten years may have had their personal information exposed as a result of the event. Over 200GB of user data was stored in the database. Date of arrival in Thailand, full name, sex, passport number, residency status, visa type, and Thai arrival card number were among the data disclosed.
“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects,” Diachenko stated.
“No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive,” Diachenko added.