Not again! Another website used by foreigners in Thailand suffers massive data breach

[OJAS]

Makes one wonder, I think, whether similar data breach issues were behind the 90-day reporting extranet being taken down for several weeks, supposedly for "maintenance" purposes not long ago.

 

And whether these issues were cured as a result of this "maintenance" work - or, heaven forbid, made worse.

Edited June 17, 2021 by OJAS

[SwampyThai]

Not to worry as they are in the process of updating their Sinclair ZX Spectrum to 48kb of RAM and installing a new floppy disc, also a copy of Dummies Guide To Programming is hastily being translated.

[rabas]

Richard Barrows updated his Twitter account with the following statement. Seems he understands the situation. Do hope he is OK. I don't want to see pictures of Richard surrounded by police pointing at an address bar.

 

UPDATE: The data breach on the appointment booking form for Immigration has already been closed. I thank them for their prompt response and apologise for contacting them publicly. The person who first contacted me about this said he failed to get any response from Immigration.

[TKDfella]

Well, that means Thailand is well on track for being the Space Hub of ASEAN. With any luck they'll (you know who I'm referring to) get the same program experts to program a rocket, get on board and launch into ever decreasing circles.

[thaibeachlovers]

15 hours ago, internationalism said:

welcome to thailand 0.4.

do expect local mafia figures to check on your home safe, while you pop to shops.

you passport data used by terrorists (they might even take it with safe).

some spam sms and email messages with offers of real estate close to your home or some bitcoin offers (did happen to me shortly after registering for vax, but never ever before that)

Don't restrict it to Thailand. If anyone thinks computer systems anywhere in the world are secure I have a very nice bridge for sale.

If the crims can hack the US government every system is vulnerable and the gangs probably pay better than the government for computer savvy folk.

[thailand49]

You get what you pay for!  You pay nothing you get nothing!????

[Mr Meeseeks]

13 hours ago, connda said:

These people have no idea how to develop code.  They are literally back in the 1990s in their web development practices.
I jokingly said awhile back that contracts to produce Thai government websites like this one are given to some big-wigs kid or nephew in university.  Now I'm betting I'm not far off.  No date security at all.

My companies have government contracts so from my experience you are most likely correct. 

 

So much nepotism goes on that most expats are not aware of, it would shock even the most cynical on this forum.

 

If you understand how the Thais operate, business becomes a lot easier for us as foreigners though, outwith having a niche that is. Having a niche and understanding the Thai way of doing business is the best way to running a successful enterprise. 

 

Try to meet Thais in your target industry first and think of how your business can benefit them, then make your business plan accordingly. ????

[Bkk Brian]

10 minutes ago, thaibeachlovers said:

Don't restrict it to Thailand. If anyone thinks computer systems anywhere in the world are secure I have a very nice bridge for sale.

If the crims can hack the US government every system is vulnerable and the gangs probably pay better than the government for computer savvy folk.

Oh I don't know about that, lets do restrict this to Thailand as thats the topic and I'm sure other governments such as the US would not leave such amateurish gaping holes in the security structure of accessing a url that should be secured, otherwise it would have been in the news years ago.

[bluejets]

Going on everywhere, not just Thailand so I wouldn't be too quick to judge any of Thailands setups.

[Bangkok Barry]

Thailand simply isn't ready for the 21st century, nor for much of the 20th. They can't drive and they can't programme websites.

[Mr Meeseeks]

46 minutes ago, Fex Bluse said:

 

He's doing the right thing. The Thais would not react unless they publicly lose face. That's how it works here. 

Correct. Remember reactive not proactive. 

[Russell17au]

Well, All the Thai bashers are at it again, but they will not accept the "Data Leaks" that are occurring in Thailand but they cannot and will not admit to all the "Data Leaks" from banks, social security organisations and other government departments that occur in their first world home countries like America, UK, Australia and Europe. It does not matter what country it is in the world "computer data is not secure" If you do not want your information to be put onto a computer data base then don't give it to the organisation that wants it and just go home to your own country and curl up in a dark corner. 

[bananafish]

Good idea to just publicly invite the world to hack the data. 

[Mr Meeseeks]

8 minutes ago, bluejets said:

Going on everywhere, not just Thailand so I wouldn't be too quick to judge any of Thailands setups.

Who cares if it happens elsewhere, although I struggle to recall similar breaches of personal data from government immigration depts. in the US or UK for example. I'm sure you will be along with a link shortly to back up those claims. Private company data breaches sure, but that's not what we are discussing here.

 

This isn't the first breach that Immigration have had either, just a couple of years ago there was a breach where all foreigners living in the Southern provinces had all their personal data exposed online including passport numbers, DoB etc.

 

It's becoming glaringly obvious that the Thai authorities simply cannot be trusted with sensitive data.

[Mr Meeseeks]

6 minutes ago, Russell17au said:

Well, All the Thai bashers are at it again, but they will not accept the "Data Leaks" that are occurring in Thailand but they cannot and will not admit to all the "Data Leaks" from banks, social security organisations and other government departments that occur in their first world home countries like America, UK, Australia and Europe. It does not matter what country it is in the world "computer data is not secure" If you do not want your information to be put onto a computer data base then don't give it to the organisation that wants it and just go home to your own country and curl up in a dark corner. 

Top notch whataboutery there.

[Russell17au]

Australian organisations notified the Office of the Australian Information Commission (OAIC) of 539 data breaches in the last six months of 2020, bringing the yearly total to 1051.

https://ia.acs.org.au/article/2021/australia-had-1051-data-breaches-in-2021.html

These include all the banks in Australia, Centrelink (social security), Dept of Immigration and Border Patrol plus many private companies. How many breaches has there been in America or UK or Europe?

 

Of the 539 breaches occurring between July and December last year, the number of incidents caused by human error increased by nearly 20 per cent, according to the Notifiable Data Breaches report.

Data breaches caused by human error tend to be simple mistakes such as sending personal information to the wrong email recipient, unintentionally disclosing the information, or simply forgetting to use BCC in a mass email – as the Department of Foreign Affairs and Trade did when sending bulk communications to Australian travelers stuck overseas last October.

Edited June 17, 2021 by Russell17au

[sandyf]

16 hours ago, internationalism said:

welcome to thailand 0.4.

do expect local mafia figures to check on your home safe, while you pop to shops.

you passport data used by terrorists (they might even take it with safe).

some spam sms and email messages with offers of real estate close to your home or some bitcoin offers (did happen to me shortly after registering for vax, but never ever before that)

Not again, another thread of whinging by the malcontents. Data breaches happen and it is certainly not unique to Thailand as many would make out. Grow up and learn to live with it.

 

Most breaches occur in North America. It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.^[1][2] It is estimated that in first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches.^[3] In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.^[4]

^{https://en.wikipedia.org/wiki/List_of_data_breaches} 

[Seeall]

16 hours ago, Excel said:

Too much of a coincidence perhaps ?

Well if they can get most sites to work, no doubt using some un qualified discounted webchimp..   why would you ever expect them to ever have heard about cyber secuirity?  or even care?

[Surasak]

15 hours ago, phetphet said:

Nothing new. They have been doing it for years with the photocopies of application forms on the back of other peoples passport and other document copies.

Which is why I put two thick black lines on the reverse side of all papers presented to Immigration since my first renewal some years ago.

[BTB1977]

Its a joke the services set up for farangs. To them we are just below the soi dogs in social standings. Thats why its so easy to take all we have without any guilt.  

[BananaGuy]

I treat all my online stuff as public domain, they even welcome to slurp my bank accounts … they figure out a way to steal my debt I reckon I’ll be the winner …

 

… on a slightly more serious note, a far more massive Alibaba leak (more of a haemorrhage actually) in the IT news out today.

 

I imagine a few users of that fine emporium here?

[MrJ2U]

Same kids of some prominent General making the childish websites.

[Venom]

12 hours ago, Phuketshrew said:

My original point was that if he did this then it would be legally defined as hacking i.e. gaining unauthorised access to a system or data.

I heard about this weeks ago from another source. This guy is merely a reporter and did not "hack" anything. Get a grip. 

[asiacurious]

2 hours ago, condobrit001 said:

If you discover that it is possible to look inside a neighbours bedroom with a telescope, this is illegal. So the correct course of action would be to refrain from looking and discreetly inform that neighbour to close their curtains, NOT to tell the whole street that the view is on offer!

 

The simile doesn't really work.  I'd suggest this might be more apt....

 

Frequently while walking your dog at night, you walk by your neighbor's house and see them having sex under a bright light with the curtains wide open for everyone to see.  They've done this kind of thing before and know this kind of behavior is harmful to the community but they either don't get it, or they don't care.

 

Instead of pulling the curtains closed, turning out the lights, or taking some other basic preventative actions to shield other people from this harmful situation THEY'VE created, they keep right on doing the same kind of thing time and time again.

 

[Tonypandy]

14 hours ago, JamieM said:

If it is visible on the clearnet it is not hacking.

Exactly 

[rabas]

13 minutes ago, asiacurious said:

 

The simile doesn't really work.  I'd suggest this might be more apt....

 

Frequently while walking your dog at night, you walk by your neighbor's house and see them having sex under a bright light with the curtains wide open for everyone to see.  They've done this kind of thing before and know this kind of behavior is harmful to the community but they either don't get it, or they don't care.

 

Instead of pulling the curtains closed, turning out the lights, or taking some other basic preventative actions to shield other people from this harmful situation THEY'VE created, they keep right on doing the same kind of thing time and time again.

 

 

But, was it illegal to film them without their consent and post it on the internet for all to see?

 

[SymS]

Anyone using broadband Internet is also at risk as routers ship with default username and password. At least it was the case a few years ago. I remember once I had a problem with ToT a while back, and they called me, asking me if I had changed the password because they can't access the configuration interface.

[Tonypandy]

they could have even left the system design just as it was, and only collected a person's first name and appointment time!  Why did they need email, phone, first and last names, passport, date of birth....?

 

There's a lot of people out there who would be happy to pay for such information, that's why

[asiacurious]

 

For those who say this goes on everywhere....

 

In other places, they normally make an effort to secure sensitive data and when someone does get hacked, the entry point is often through social engineering.

 

But here....

 

Well, you can't unlock an unlocked door.

 

 

1 hour ago, bluejets said:

Going on everywhere, not just Thailand so I wouldn't be too quick to judge any of Thailands setups.

 

1 hour ago, Russell17au said:

....they cannot and will not admit to all the "Data Leaks" from banks, social security organisations and other government departments that occur in their first world home countries like America, UK, Australia and Europe.

 

49 minutes ago, sandyf said:

Data breaches happen and it is certainly not unique to Thailand as many would make out. Grow up and learn to live with it.

 

[RocketDog]

17 hours ago, snoop1130 said:

On Tuesday, the Thai government released a statement to explain the issue on the Intervac website had been resolved after being caused by a “temporary glitch” and was now working again.

We can only hope that the entire Thai government is just a temporary glitch that will soon be fixed.