When Travel Goes Wrong: 106 Million Visitors to Thailand Impacted by Data Breach

Over the past year, the COVID pandemic has completely turned the world upside down, from how we live to how we work, and how we stay connected to those around us. But most importantly, it’s made us more appreciative of technology and the seemingly small, but overlooked pleasures in our daily lives – like getting a haircut or stepping foot outside our home to travel the world.

But with these major travel restrictions, has come a massive stand-still in the tourism industry, and an unprecedented drop in revenue in the millions of dollars for countries whose economies were built on the backbone of tourism. As countries prepare for a future recovery of the tourism market and rely on technology to advance the travel experience, companies are faced with new security challenges that traditional security solutions aren’t designed to address.

The latest data breach, affecting millions of travelers to Thailand, is a prime example of this emerging threat. 

An unsecure Elasticsearch database containing the personal data of 106 million visitors to Thailand was discovered on August 22, 2021 by Bob Diachenko, a cybersecurity researcher at Comparitech. 

According to Infosecurity Magazine, the database was publicly accessible, and contained “full names, arrival dates, gender, residency status, passport numbers, visa information and Thai arrival card numbers” dating back to 10 years ago. 

In a surprising twist, the data breach hit close to home as the cybersecurity researcher stumbled upon his own personal data in the database.

While researchers were unable to determine how long the data had been exposed for, Thai authorities acted swiftly to secure the database within 24 hours of receiving word of the vulnerability. As a second line of defense, the index has been replaced with a digital booby trap such that any visitor who attempts to access the database is shown the message, “This is a honeypot, all access were logged [sic].”

According to the report, “any foreigner who traveled to Thailand in the last decade or so probably has a record in the database.” With Dasera, Thai authorities could have prevented this vulnerability by detecting and correcting database misconfigurations, to protect the privacy of these impacted individuals. 

When traveling for work or pleasure, we shouldn’t have to worry about our data being unprotected. Let’s do our part to keep it that way. Visit www.dasera.com to learn more about how to better secure your data. 

Author

Tu Phan