Security researcher Bob Diachenko has discovered an unsecured database containing personal information of 106 million foreign nationals who have visited Thailand in the past decade.
Diachenko, who discovered the data exposure on Aug. 22, says he was unable to ascertain how long the data had been unsecure. The exposed data, he says, was an Elasticsearch database, which was indexed this year on Aug. 20 by search engine Censys.
The earliest record found in the database was from November 2010.
More than an identity theft issue, the exposure is a privacy concern, says Diachenko. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive, he explains.
“For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own.
“However, in combination with other data – name, address, email, phone number, etc. – cross-referenced from other leaks, someone could come up with a perfect profile for a phishing attack,” he says.Bob Diachenko
“With this information, very compelling spear-phishing emails or vishing calls can be made, using the information as a background story to get a victim to click on a malicious link, open an infected document or give up sensitive information”.