NAKHON SI THAMMARAT — Personal details of hundreds of expats living in the southern province of Nakhon Si Thammarat were laid bare to the internet for hours last night thanks to the weak security of a police immigration website.
Openly available to anyone who visited the site were names, nationalities, passport numbers, professions and home addresses of foreign residents, showing where they all resided on an interactive map. The site, since taken offline, was supposed to be a test of an internal police database under development, according to an immigration police commander.
“It was a demo, we were testing it,” Maj. Gen. Thanusilpa Duangkaewngam, the officer in charge of the provincial immigration bureau, said by telephone.
An interactive map showing the residences, nationalities, passport numbers and other unprotected information about foreign nationals was found freely available on an Immigration Bureau website. Image: Thai Netizens / Facebook
The information was accessible at http://www.adsum.in.th/index.php to any internet user without need of a password. Attention to it appears to have first come from former Thailand-based journalist Andrew MacGregor Marshall, who shared it via Facebook on Sunday night to warn foreigners living in the province.
“If you are a foreigner living in southern Thailand – including Phuket and Samui – you need to take urgent steps to protect yourself,” wrote Marshall, who is wanted by Thai authorities for his critical writing about the monarchy.
Further underscoring the vulnerability of the site, some internet users also correctly guessed the password to enter the website’s management system: 123456.
It was unclear how long the site had been online. The website administrator took down the site at around 2am, according to digital advocacy group Thai Netizens. It also identified the website developer as a firm called Youngcyber Digital Technology, which is headed by a man named Akram Aleeming. The website for the firm was offline Monday.
In response to outraged comments about the site, Akram wrote in the comments section that he apologized for the poor security and said he didn’t expect anyone to find the website.
“It was an internal system but my [team] was testing the system to show them how it works, and so I unlocked the authentication system on that problematic page” Akram wrote, referring to immigration police. “But there were issues about passport numbers. I made a mistake. I didn’t think anyone would find the website.”
Akram could not be reached for comment Monday.
Maj. Gen. Thanusilpa, the immigration police commander, played down the “leaks” by claiming no important information was stored on the site, despite evidence suggesting otherwise.
“There’s nothing on there,” Thanusilpa said, adding that immigration police would release an official statement about the matter.
Thai bureaucracy is notorious for its lack of digital competence. Many of its websites are poorly developed and therefore vulnerable to even the crudest forms of cyberattacks, as demonstrated in late 2015 when internet-based activists managed to take down government servers by simply refreshing pages – a method known as a denial-of-service attack.
That protest was a response to the junta’s plan to construct a “single gateway” to control all internet traffic in Thailand. While junta chairman Prayuth Chan-ocha insisted the project is meant to protect Thais from online threats, critics say a single gateway is not only intrusive but technically unfeasible, as authorities do not have adequate expertise and resources to maintain the system.