BANGKOK — A top telecom operator has until Tuesday to explain to regulators just how it allowed a huge security hole to expose customer data after reports of it caused an uproar.
iTruemart, a subsidiary of True Corp., sought to deflect responsibility for the vulnerability discovered by a white hat hacker by blaming it Saturday on a “hack” that exposed scans of its customers national ID cards, passports and driver’s licenses kept in an unsecured area available for anyone to find. iTruemart said only customers who registered SIM cards through its website had their data exposed.
“The data of customers who bought Truemove mobile packages with iTruemart was hacked,” read the statement. “We would like to apologize our customers. … We have already fixed the data security matter and will issue notices to those affected about the company’s measures to protect customers’ privacy if it occurs that the data is being misused.”
The embarrassing episode began Friday, when an Irish security researcher detailed on his personal blog the fact that True customer data going back to 2016 was stored in an unencrypted cloud system which he described as “discoverable and open for anyone to download.”
In his post, Niall Merrigan described using tools freely available online to discover 32GB of customer data in an unprotected vault. He said there were 46,000 files in the archive, but it was unclear how many people were affected.
He began attempting to notify the company on March 8 and went public with the information after it failed to take action. The problem was fixed Thursday.
He shared details of his correspondence between him and the company, first on Twitter, in which True told him to send all the details to a generic customer support email address.
Merrigan then requested to talk to the company’s security team, but the email he received from True said they “have no contact point of security department” and suggested that he contact their headquarters during normal business hours.
It is not the first time True has mishandled customer information. In 2016, a Truemove shop issued a SIM card to an identity thief without verifying the authenticity of what was a forged identity document, leading to the loss of almost one million baht from a customer’s bank account.
Customers were furious after reading True’s Saturday statement. Complaints poured in over social media about the company’s lack of security.
“Nonsense. I experienced it myself. My ID was already expired but someone used it to register a new SIM card,” wrote Facebook user Pheung Paowiman. “I called to complain many times, but it still hasn’t been resolved.”
“This is not the first time. Someone used my girlfriend’s name to register for a landline service. We told them several times and even filed a complaint to police, but no one does anything,” wrote another user Sarawut Rohmer.
After the story broke, the National Broadcasting and Telecommunications Commission, or NBTC, said it gave True until Tuesday to provide an explanation.
“If found guilty, the company will have charges pressed, and its operating license will be revoked,” said the commission’s Thakorn Tantasit. He added that the commission would have standing as one of the aggrieved parties.
But a leading technology news site published a special report Sunday placing the blame at the feet of the regulators at the NBTC, saying they were “directly responsible” for mandating consumer’s personal information and empowering unreliable players to collect it.
“NBTC requires operators to obtain their customers’ ID cards for a SIM card registration, but at the same time, it has very sloppy mechanisms, giving the registration authority to all ‘sellers,’” it said. “They are not under any supervision from NBTC, and there’s no regulation on how these sellers will secure customer privacy. … How can we know which sellers would secretly keep a picture of our ID cards to use for another purpose?”