True Scrambles to Win Back Confidence After Data Lapse

Representatives from True Corp. attend a Tuesday hearing at the National Broadcasting and Telecommunications Commission offices in Bangkok. Photo: Matichon
Representatives from True Corp. attend a Tuesday hearing at the National Broadcasting and Telecommunications Commission offices in Bangkok. Photo: Matichon

BANGKOK — A telecom conglomerate Tuesday sought to play down the impact of a security breach that exposed more than 11,000 customers identity documents online, as regulators pushed for compensation.

True Corp. representatives insisted at a hearing called by state regulators that customer database for subsidiary iTruemart was “hacked” by “experts,” while pledging to improve security after a data security expert publicized vulnerabilities in its system. It also apologized to affected customers.

“The leakage was data of customers who bought SIM cards with TrueMove devices (with iTruemart). It involved a copy of their national ID cards,” said Suebsakun Sakonsattayatorn, iTruemart managing director, adding that 11,400 customers from between 2015 and 2017 were affected.

Read: Oops? True Posts ID Cards, Passports Online – Blames ‘Hack’

Advertisement

Suebsakun insisted the company closed the security hole one day after learning about it on April 11.

He also said the cloud system which held the customer the data could only be reached by someone with the proper know-how using “special tools.”

That was consistent with what was disclosed Friday by an Irish security researcher, who wrote online that True’s storage vault which held scans of ID cards and passports was “discoverable and open for anyone to download.” He used a freely available tool online to locate the breach. He detailed his attempts to notify the company since March, though no action was taken until over a month later.

Pakapong Pattanamat, deputy director of True’s mobile unit, said the company would begin notifying affected customers via SMS and email later Tuesday.

“True has not received any reports that the data has been misused, but we will file a complaint to police today to ensure that the rights of those affected will be protected,” he said.

Netizens have savaged the company for its response, and Pakapong sought to restore some confidence by explaining that the bulk of True’s customer records – apart from those registered online – are stored in its own encrypted system. He vowed stepped up data security measures to come.

Security lapses are not uncommon in Thailand, but they occur most often in the public sector, where everything from bank account records and home addresses have been left unprotected.

The National Broadcasting and Telecommunications Commission, or NBTC, said after today’s hearing it would contact all affected consumers to evaluate the scope of potential compensation due.

“We will bring all evidence to the board for further investigations before considering if a penalty is needed,” said the commission’s Thakorn Tantasit.

Before the hearing began, the interior minister attempted to cool down the public rage, saying the leak only involved “data from the front of ID cards” while “in-depth details” stored on the card’s ship were not exposed – though that never seemed to be at stake.

“We have a secured system to protect citizens’ privacy. No one can gain an access to these data except officials responsible for it,” said Gen. Anupong Paochinda. “If it occurs that any officer is involved in leaking the data, they will be punished by accordingly under the law.”

Advertisement

The internet was clearly not impressed. National ID cards are printed with identifying information including photos, names, birthdays, home addresses and national identification numbers.

“It’s gonna be like this if elders who don’t understand anything about cybersecurity are still appointed as our leaders. People are soooo safe,” Facebook user Nit Natthanun wrote.

“Wait, is this not a big deal? The system is secured?” user Emma Mitthong said in a post. “Phone scammers can still obtain people’s ID numbers, addresses and bank accounts from government websites!”