• United States




UPDATED: Thailand healthcare system suffers data breach

Mar 28, 20163 mins
Application SecurityData BreachGovernment

I was poking about on social media after lunch today when I noticed someone had found that the Thai immigration systems were exposing the personal data of people who had entered the country from abroad. There was personal information of many people living in the country were exposed due to unfortunate system configuration.

From Bangkok Post:

The gaffe was spotted by social media users late Sunday when a database appeared online containing the names, addresses, professions and passport numbers of more than 2,000 foreigners living in Thailand’s southern provinces, principally Nakhon Si Thammarat province.

The website carried an immigration police seal but used a private Thai web address, not one usually associated with government sites. It was openly available without a password and some industrious users guessed the site’s less-than-secure administration password: 12345.

That was an immigration system.

Now there is a healthcare system that is open to all. It turns out that the password was easily bypassed and the information was readily accessible to anyone who could puzzle out how to do directory traversal according to information provided by a third party. The article in the Bangkok Post said the site had been taken down but, it was still accessible at the time of this writing on Monday evening.

NB. I wrote that it was still online…seems that I had my wires crossed between the immigration system that Bangkok Post had written about and not the healthcare system that my information was point to instead.

descr: Ministry of Public Health, Thailand descr: Information and Communication Technology Center descr: The Permanent Secretary Office descr: Tivanont Road, Nontaburi, 11000

It seems that this system wasn’t protected they got rid of the domain name but, neglected to take down the and the IP address of the web server in question which tracked back to the Health ministry.

Dave Lewis
screencap2 Dave Lewis

To further complicate matters this system was not even running HTTPS. All of the files were available in the clear which meant that, in all likelihood that a password, if there was one, could be easily intercepted as well. According to a statement issued by the owner of the immigration website it was a “demo” and should not have gone live. Curious point being that some of the files, including the manual for using the system, dated back to 2014. This was made clear later by the fact that this was, in fact, a healthcare ministry system. 

Hmm, so there was rudimentary directory traversal issues and no encryption. Not a particularly good recipe for security.

The server also apparently housed information pertaining to people who were suspected of potentially being infected with ebola. 

ebola1 Dave Lewis

The web server was running an old version of Apache that was last updated in July 2015. Also of note is that the version of PHP that is running on the system was released in 2010 which is subject to a fistful of vulnerabilities in its own right. 

HTTP/1.1 200 OK Date: Mon, 28 Mar 2016 22:41:35 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 880 Connection: close Content-Type: text/html; charset=utf-8

This data breach news comes on the heels of multiple site compromises coupled with a push to ensure that all HTTPS traffic can be monitored. Lofty ambitions but, it appears there are some rather serious cyber security issues lingering in Thailand.

NB. I have updated the article to reflect the conflated issues of the immigration and healthcare webservers that were found to be exposed. Thanks to “bact” for clearing up the confusion.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author