Leaked data contained no personal info, insists AIS
Telecom operator Advanced Info Service (AIS) issued a statement on Monday (May 25) to confirm that no personal data of its customers had been leaked.
The company was responding to a report posted on the US-based TechCrunch website that security researcher Justin Paine had found real-time internet records of billions of Thai internet users earlier this month that AIS had leaked.
“We are aware of report alleging an incident regarding AIS customers’ data. We confirm that a small amount of non-personal, non-critical information was exposed for a limited period in May during a scheduled test,” said Saichon Submakudom, chief of the AIS public relations department.
She added that the data released only had to do with Internet usage patterns and did not contain personal information that could be used to identify any customer or harm them financially or in any other way.
“We are pleased that this incident was contained quickly, and no customers were adversely impacted. AIS cares deeply about protecting customers’ personal information,” she said.
“We are continually reviewing our security procedures to ensure global best practices. However, on this occasion, we acknowledge that our procedures fell short and for that, we sincerely apologise.
“Since this is the first incident of its kind, AIS has thoroughly investigated the cause and already taken steps to improve our procedures. We continually strive to maintain the highest standards in ensuring the safety of our customers and their personal data,” she added.
According to TechCrunch, Paine had said in a blog post that he found the database – containing DNS queries and Netflow data – on the internet unguarded by a password.
With access to this database, Paine claimed that anybody could see in real time what an internet user or their household was browsing, enabling them to build a picture of the target’s internet usage. Paine discovered the database on May 7, with 8.3 billion documents, 4.7 terabytes of data and about 200 million rows of new data added daily.
Paine said he alerted AIS to the exposed database several times since May 13 but received no response. A week later he reported the apparent security lapse to Thailand’s national computer emergency response team (ThaiCERT), which contacted AIS about the exposed database.
Shortly after, AIS closed access to the database on May 22.