BANGKOK — Sensitive information of tens of thousands of foreign travelers, including their real names and passport numbers, was publicly available on a government website until it was taken down yesterday in response to publicity.
Operated by the Bureau of General Communicable Diseases, the website displayed records of foreign travelers who passed through health checkpoints at Thai border controls, both air and land.
A screenshot of the database with names, passport numbers and residence addresses blurred.
In addition to dates of travelers’ most recent vaccines, the information included their real names, nationalities, passport numbers, flight numbers, addresses in Thailand and in some cases email addresses. It appeared to cover only certain regions, as the vast majority of the travelers were from South American nations.
It was unclear how long the information had been available online, but the records went back to 2012.
The discovery of the unsecured information demonstrated again the weak security protocols for protecting sensitive data. On Sunday, a website was taken down which exposed personal details of foreign residents in southern Thailand, including a map showing where they lived.
Arthit Suriyawongkul of privacy advocacy group Thai Netizen Network said bureaucrats applied the same flawed logic in both incidents, that no one would find the URLs to access the sensitive information.
“It’s like you have a home, and you keep valuables in that home, and you hide a backdoor at the back of your house,” Arthit said. “But this doorway has no door at all. It’s just a frame in a hidden corner, and you hope that no one will know about this doorway.”
Attention was called to the disease bureau’s database Monday by user Brfsa2 on the popular ThaiVisa forum, in a thread discussing news about the immigration website which revealed similar sensitive information about expats living in southern Thailand.
“It has all names, passports, full current address, nationality and every single travel history,” the user wrote, including a link subsequently deleted by a forum administrator. “All made puiblicly [sic] available within a simple google search. Amazing!”
Thai Netizens said it contacted the department in charge of the database at around 6:10pm on Monday and the website was taken down an hour later.
In its Facebook post, Thai Netizen Network also advised members of the public to report any “leaks” or exposure of sensitive information to the Center of Emergency Response Team, a state agency tasked with improving national cybersecurity.
Arthit believes such incidents will become more frequent as bureaucrats place more private information and records online to improve services and communication between agencies. And problems with data vulnerability will only be solved, he said, if a data privacy law is enacted that insures it is used for legitimate purposes and is stored securely.