TrueMove H told to clarify leak of its customers’ ID card information

The National Broadcasting and Telecommunications Commission (NBTC) has notified mobile phone service provider TrueMove H for a meeting on Tuesday to clarify the alleged leak of the ID card information of a large number of its customers.

NBTC secretary-general Takorn Tanthasit said Saturday (Apr 14) that the telecom regulator wanted to find out whether the leak was deliberate or not before it could decide to mete out legal action against the company.

According to the law governing frequency allocation, broadcasting and telecommunications, intentional leaking of confidential personal information about telephone subscribers was illegal and the NBTC could withdraw the operating license of the service providers.

“The NBTC office has attached importance to the case as it impacts on the personal information of the subscribers, so we speed up the case to protect public interest,” said Takorn.

It was reported that a foreign-based information safety researcher, Nail Merrigan, found out that about 46,000 items or 32 gigabits of ID card information of TrueMove H subscribers which were kept in Cloud since 2016 had been leaked
out.

After the finding of the leak, Merrigan tried to contact TrueMove H through several channels to inform the company that its database on subscribers’ ID cards was not adequately protected and, finally, on March 8 succeeded to contact the company through Twitter account.

The researcher sent all the information about the case to TrueMove email, but an official of TrueMove Care replied that he could not contact the information security section and asked the research to contact the head office directly.

After 2-3 weeks, there was still no progress from TrueMove H, prompting Merrigan to warn TrueMove Care that he would inform the public about the case.

On April 4, TrueMove Care informed Merrigan that action was being taken to deal with the matter and on April 10 the company said that the ID card information folder had been closed.

But at this stage, it is still unclear whether any unauthorized outsiders have managed to download the ID card information of the subscribers or not.