By SIRIVISH TOOMGUM
THE NATIONAL Broadcasting and Telecommunications Commission (NBTC) is considering setting up its own data centre to store personal data of mobile-phone users following the latest data security breach of a private operator, secretary-general Takorn Tantasith said yesterday.
He said the state agency should play a leading role in protecting such data.
Currently, mobile-phone operators are responsible for the collection and storage of customer data.
The NBTC yesterday summoned representatives of True Corp and WeMall to explain the recent findings of foreign security expert Niall Merrigan that the personal data of some TrueMove H Universal Communication mobile-phone subscribers, stored by WeMall on Amazon Web Services S3 cloud storage bucket, could be accessed without authorisation.
WeMall, formerly iTrueMart, is the online retail platform of Ascend Group Co Ltd, which is part of the Charoen Pokphand group. WeMall provides an online channel for people to buy TrueMove H mobile devices and call packages.
Meanwhile, Interior Minister Gen Anupong Paochinda yesterday warned that people’s personal data could not be leaked and anyone involved with wrongful disclosure of personal data would be punishable by law.
He said the Interior Ministry’s Provincial Administration Department ran the country’s secured database on people’s ID cards and 13-digit numbers which prevents unauthorised access by third parties.
The current national ID card system contains an individual’s ID number, full names, date of birth, religion, address, issue and expiry dates as well as issuing office, he said, adding that the system has no other data of individuals.
Suebsakol Sakolsatayadorn, the managing director of Ascend Commerce, said the TrueMove H data at issue could not be accessed publicly, but Merrigan, the security expert, had used special tools to access the folder containing the data. The folder contains scanned images of the ID cards of 11,400 TrueMove H postpaid subscribers. They are customers who bought TrueMove H service and packages via the WeMall online channel.
WeMall fixed the problem on April 12.
Pakpong Pattanamas, deputy director for mobile business of True Corp, said the personal data of other TrueMove H subscribers were securely stored by TrueMove H’s internal system.
Suebsakol said that WeMall and TrueMove H have always given top priority to data security but those who commit cybercrimes always have new tools to break in. The two partners have already worked with global cybersecurity experts to plug any loopholes in their data system.
Pakpong said that TrueMove H would inform all affected 11,400 customers of the measures it has taken to solve the problem and would notify police about the incident. However, the notification to the police will not specify the wrongdoer, pending further investigation.
TrueMove H will also examine the data security systems of all its partners to see if they have complied with its policy to ensure maximum protection for customers’ data.
Takorn added that the NBTC would put details of the Wemall case before the board to see how it should proceed next.
Pakapong said that TrueMove H is considering how to proceed in the case of Merrigan.
In a related matter yesterday, the NBTC called in telecom operators to discuss the widespread problem of unsolicited SMS-based content. Last year 772 people complained that they had received SMS messages from content providers inviting them to subscribe to their services. When they clicked open to read the SMS, the content providers immediately charged them without asking for their consent. The combined cost amounted to Bt176,000 last year.
Of the total complaints, 264 were from customers of Advanced Info Service, 301 from customers of Total Access Communication and 236 from True customers. There have been 292 complaints so far this year. In most of the cases the telecom operators agreed to compensate affected customers. Takorn said that he had asked all the operators to send an SMS message to these customers advising them that if they want to cancel subscriptions for the content they can dial *137. Operators have to send this message on April 24.