Thai telco True defends security measures after user data breach

BANGKOK (Reuters) - True Corp on Tuesday defended its security measures after what is possibly the first known instance of a major data leak at a mobile operator in Thailand, saying the data had been “hacked” by an expert.

True Corp is Thailand’s second-biggest mobile operator and the flagship company of billionaire Dhanin Chearavanont’s Charoen Pokphand Group.

Earlier, True said stored copies of national identification cards belonging to 11,400 customers who bought “TrueMove H” mobile packages via True’s e-commerce platform iTruemart, run by True’s digital arm Ascend Commerce, had been made public.

The data leak came to light after Norway-based security researcher Niall Merrigan said in his personal blog on Friday that he was able to access 32 gigabytes of True’s customer data, including identification cards, and that he notified True in March about the security breach.

“There was no security at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details,” Merrigan wrote in his blog.

True said the leak was fixed on April 12.

Seubsakol Sakolsatayadorn, Ascend Commerce’s managing director, said the data was private and that customers’ information was hacked by Merrigan.

“In this case the expert did not have the right to access this and he used special tools,” Seubsakol told reporters at a news conference.

According to Pakpong Pattanamas, a deputy director for True’s mobile business, True has “a good security system”.

Merrigan told Reuters he had notified True “in good faith” to get the security issue fixed so the data would not fall into the wrong hands. “I just wanted to get this information secured to ensure a safer internet for everyone.”

“The overall goal is when you see an issue like this, you try to get it fixed,” he told Reuters by e-mail.

True Corp shares closed down about 2 percent, against the broader market’s 0.66 percent drop..

True is working to prevent “this sort of incident” from happening again, said Pakpong.

“TrueMove H will send out an SMS to the 11,400 affected customers and inform them about the security measures that we have taken so far,” Pakpong said.

The National Broadcasting and Telecommunications Commission (NBTC) said it would ask Thailand’s five main mobile operators to clearly outline their data protection measures.

The NBTC is looking to build its own data center to store customers’ information, Takorn Tantasith, secretary-general of the country’s telecoms regulator, told reporters.

“The NBTC thinks that data storage should be done by a government agency,” he said.

“If a state agency is responsible then the public will have more confidence. This is part of our long-term plan,” he added.

Thailand has been working on a draft personal data protection bill. The government has said the bill is expected to go to parliament within May or June.

Reporting by Wirat Buranakanokthanasan and Panu Wongcha-um; Additional reporting and writing by Patpicha Tanakasempipat; Editing by Amy Sawitta Lefevre and Himani Sarkar