Thai telecoms regulator NBTC has instructed mobile operator True Move H to assess the impact of its recent personal data leak and offer compensation to any affected customers.
The regulator also plans to conduct a formal investigation into the incident and consider imposing punishments, and issue a letter demanding that mobile operators take appropriate steps to prevent similar breaches in the future.
A security researcher recently revealed that the identity documents of up to 45,736 customers of True subsidiary iTrueMart had been exposed by being stored in a publicly-accessible Amazon S3 data bucket. The company also took more than a month to finally make the cache of files private.
Researcher Niall Merrigan discovered the cache by scanning certificate transparency logs created when someone creates a new security certificate.
Yet True Move H and parent True Corp are continuing to characterize the action as a data breach. A True Corp executive told that the company is considering taking legal action for hacking the data from the system, stating that he used “special tools to access data which he has no right to get into.”
But a cloud expert noted that because the default setting for the AWS S3 service is private, True had to have intentionally set the data to public.