True Corp defends security measures after user data breach

Pakpong Pattanamas of True Corp explains the leaked data of users to the National Broadcasting and Telecommunications Commission at the NBTC office on Tuesday. (Photo by Chanat Katanyu)

True Corp on Tuesday defended its security measures after what is possibly the first known instance of a major data leak at a mobile operator in Thailand, saying the data had been "hacked" by an expert.

True Corp is Thailand's second-biggest mobile operator and the flagship company of billionaire Dhanin Chearavanont's Charoen Pokphand Group.

Earlier, True said stored copies of national identification cards belonging to 11,400 customers who bought "TrueMove H" mobile packages via True's e-commerce platform iTruemart, run by True's digital arm Ascend Commerce, had been made public.

The data leak came to light after Norway-based security researcher Niall Merrigan said in his personal blog on Friday that he was able to access 32 gigabytes of True's customer data, including identification cards, and that he notified True in March about the security breach.

"There was no security at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details," Merrigan wrote in his blog.

True said the leak was fixed on April 12.

Seubsakol Sakolsatayadorn, Ascend Commerce's managing director, said the data was private and that customers' information was hacked by Merrigan.

"In this case the expert did not have the right to access this and he used special tools," Seubsakol told reporters at a news conference.

According to Pakpong Pattanamas, a deputy director for True's mobile business, True has "a good security system".

Merrigan declined to comment when contacted by Reuters on Tuesday.

True Corp's share price fell 1.38% after report of the leak, against a broader market decline of 0.33%.

True is working to prevent "this sort of incident" from happening again, said Mr Pakpong.

"TrueMove H will send out an SMS to the 11,400 affected customers and inform them about the security measures that we have taken so far," Mr Pakpong said.

The National Broadcasting and Telecommunications Commission (NBTC) said it would ask Thailand's five main mobile operators to clearly outline their data protection measures.

The NBTC is looking to build its own data centre to store customers' information, Takorn Tantasith, secretary-general of the country's telecoms regulator, told reporters.

"The NBTC thinks that data storage should be done by a government agency," he said.

"If a state agency is responsible then the public will have more confidence. This is part of our long-term plan," he added.