Update: AIS issued a statement saying no personal information of customers was leaked.
BANGKOK — AIS moved to secure its online database that leaked 8.3 billion internet records of its users, security researchers said Monday.
The leak was discovered by internet security researcher Justin Paine, who wrote in a post that it took two weeks before the telecom giant fixed it. The incident came just as privacy activists raise concerns over personal data collected by the government in the pandemic.
“Using this data it is quite simple to paint a picture of what a person does on the Internet,” Paine wrote in a Monday blog post. “Unsurprisingly the majority of the traffic was from Thailand, although there is a decent amount of traffic logged from surrounding countries as well.”
The database contained DNS queries (a demand from a user’s computer to a domain name) and Netflow data (IP address traffic). The information does not include sensitive information like passwords, e-mails, and messages, but they include what websites and apps each IP address was using.
Based on the data, Paine was able to pinpoint the social media sites and web browsers different households were using. Paine also noted that the database was especially looking at Facebook traffic.
But in a statement released to Khaosod English, the company said the leak did not reveal any critical information. It also apologized for the incident.
“We can confirm that a small amount of non-personal, non-critical information was exposed for a limited period in May during a scheduled test. All of the data related to Internet usage patterns and did not contain personal information that could be used to identify any customer or cause them financial or any other harm.
We are pleased that the incident was quickly contained and no customer was adversely impacted, financially or otherwise. AIS cares deeply about protecting our customers’ personal information. We are continually reviewing our security procedures to ensure global best-practice. However, on this occasion we acknowledge that our procedures fell short, for which we sincerely apologise.
As the first incident of this kind, AIS has thoroughly investigated the cause and has already taken steps to improve our procedures. We continually strive to maintain the highest standards in ensuring the safety of our customers and their personal data.”
Paine said the leak began on May 1 and exposed around 8.3 billion documents, or a total of 4.7 TB of information, without any password requirement.
He said he tried to contact AIS repeatedly from May 13 to 21, without any success. It was only when he reached out to the Thai Computer Emergency Response Team (ThaiCERT) on May 21 that actions were taken. The database was finally removed May 22.
Similar concerns were raised over the Thai Chana website that collects personal data of customers who visit malls and shops during the coronavirus pandemic.