UPDATED: Thailand healthcare system suffers data breach

bangkok skyline
Martyn Williams

I was poking about on social media after lunch today when I noticed someone had found that the Thai immigration systems were exposing the personal data of people who had entered the country from abroad. There was personal information of many people living in the country were exposed due to unfortunate system configuration.

From Bangkok Post:

The gaffe was spotted by social media users late Sunday when a database appeared online containing the names, addresses, professions and passport numbers of more than 2,000 foreigners living in Thailand's southern provinces, principally Nakhon Si Thammarat province.

The website carried an immigration police seal but used a private Thai web address, not one usually associated with government sites. It was openly available without a password and some industrious users guessed the site's less-than-secure administration password: 12345.

That was an immigration system.

Now there is a healthcare system that is open to all. It turns out that the password was easily bypassed and the information was readily accessible to anyone who could puzzle out how to do directory traversal according to information provided by a third party. The article in the Bangkok Post said the site had been taken down but, it was still accessible at the time of this writing on Monday evening.

NB. I wrote that it was still online...seems that I had my wires crossed between the immigration system that Bangkok Post had written about and not the healthcare system that my information was point to instead.

descr: Ministry of Public Health, Thailand
descr: Information and Communication Technology Center
descr: The Permanent Secretary Office
descr: Tivanont Road, Nontaburi, 11000

It seems that this system wasn't protected they got rid of the domain name but, neglected to take down the and the IP address of the web server in question which tracked back to the Health ministry.

Dave Lewis
screencap2 Dave Lewis

To further complicate matters this system was not even running HTTPS. All of the files were available in the clear which meant that, in all likelihood that a password, if there was one, could be easily intercepted as well. According to a statement issued by the owner of the immigration website it was a “demo” and should not have gone live. Curious point being that some of the files, including the manual for using the system, dated back to 2014. This was made clear later by the fact that this was, in fact, a healthcare ministry system. 

Hmm, so there was rudimentary directory traversal issues and no encryption. Not a particularly good recipe for security.

The server also apparently housed information pertaining to people who were suspected of potentially being infected with ebola. 

ebola1 Dave Lewis

The web server was running an old version of Apache that was last updated in July 2015. Also of note is that the version of PHP that is running on the system was released in 2010 which is subject to a fistful of vulnerabilities in its own right. 

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2016 22:41:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 880
Connection: close
Content-Type: text/html; charset=utf-8

This data breach news comes on the heels of multiple site compromises coupled with a push to ensure that all HTTPS traffic can be monitored. Lofty ambitions but, it appears there are some rather serious cyber security issues lingering in Thailand.

NB. I have updated the article to reflect the conflated issues of the immigration and healthcare webservers that were found to be exposed. Thanks to "bact" for clearing up the confusion.

New! Download the State of Cybercrime 2017 report