True urged to compensate data-breach customers

True Move's deputy director Pakpong Pattanamas (second right) defends the company's security measures to a sceptical meeting at the National Broadcasting and Telecommunications Commission on Tuesday. (Photo by Chanat Katanyu)

The telecom regulator has ordered True Move H to assess the impact and prepare a compensation offer to customers affected by the recent leak of personal data.

The move came after a meeting between the National Broadcasting and Telecommunication Commission (NBTC)'s executive and the company's representatives.

This followed an alert sent to True in March from Niall Merrigan, a Norway-based cybersecurity researcher, that he was able to access 32 gigabytes of 11,400 True customers' data stored in iTruemart on Amazon Web Services (AWS), a type of cloud storage platform known as an S3 bucket.

The data included their ID cards and passports.

NBTC secretary-general Takorn Tanthasit said after the meeting that the NBTC has yet to decide whether to punish True as it needs to conduct a formal investigation into the incident first.

Still, the NBTC has ordered True to consider compensation for affected customers and will issue a letter demanding mobile phone operators take appropriate precautions to prevent similar breaches in the future.

Pakpong Pattanamas, deputy director for mobile business of True Corporation, said True Move H is considering taking legal action against Mr Merrigan for intentionally hacking the data from the system.

"Mr Merrigan used three special tools to access data which he has no right to get into," said Mr Pakpong.

iTruemart, currently known as WeMall, is the online retail platform of the company.

The personal data kept by iTruemart is not readily accessible to the general public, except experts, said Mr Pakpong.

True Move H is assessing the damage caused by the incident as it consults with its lawyers.

A source in cloud technology said this case is not about IT security but carelessness by those in charge of True's AWS S3 service.

The default setting for the platform is "private", which has raised the question why the company had theirs set to "public" mode instead.

"It's like you open the door and forget to close it, nothing about special hacking tools," said the source.

"The most important is that True, or any user of the service, should encrypt sensitive data before it is uploaded to the cloud," said the expert.

In another development, the NBTC on Tuesday called all telecom operators to discuss the widespread problem of unsolicited SMS content.

Mr Takorn said that last year 772 people complained they received messages containing links to subscription services which, when clicked, led to them being immediately charged money, with a total cost of 176,000 baht.

Mr Takorn said the NBTC has instructed telecom operators to contact any customers who may be unknowingly enrolled in these subscriptions advising them they can dial *137 to cancel. The operators have to start sending SMS to customers alerting them on April 24.