Thailand’s True Corp has fixed a data leak involving the exposure of identity records on up to around 45,000 of its customers.
Security researcher Niall Merrigan discovered personal data on customers of True Corp’s e-commerce subsidiary iTrueMart (now WeMall) stored in a public-facing Amazon S3 bucket in March.
The 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, drivers licenses and possibly passports.
In a blog post, Merrigan said he informed True Corp’s mobile unit True Move H about the breach on March 10, but the company took no action until he went to the media in early April. The files were finally made private on April 12.
Merrigan indicated that True Corp seems to be misrepresenting the incident as a hack, but there was no security on the data bucket and anybody could have found and downloaded all the files.
Telecoms regulator NBTC is investigating the incident, and may impose penalties on True Corp for exposing customer information. The stored identity records may have been collected as part of the Thai government’s mandatory SIM registration scheme, which has already been a target of identity thieves and has been opposed by privacy advocates.