Why AIS’s cybersecurity measures need to be stepped up, and how.
It was recently reported that Thailand’s largest cell network by subscriber numbers, Advanced Info Service (AIS), had its database of 8 billion Internet records left open on the internet without a password earlier this month.
These records were exposed for about 3 weeks before AIS rectified the issue and closed off access to the data, according to security researcher Justin Paine, who first disclosed the incident in a blog post.
Saichon Submakudom, head of public relations at AIS, said: “”We acknowledge our procedures fell short, for which we sincerely apologize.” As the first incident of this kind, AIS will investigate the cause, she said.
While AIS confirmed that it owned the data and apologized for the security lapse, it claimed the incident exposed only a “small amount of non-personal, non-critical information for a limited period during a scheduled test”.
Although DNS queries do not carry private messages, emails, or sensitive data like passwords, access to the records allows one to gain insights into a person’s Internet activities, including the kind of devices they owned, which antivirus they ran, which browsers they used, and which social media apps and websites they frequented.
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC), explained:
“Such information can be used to build a profile of user’s Internet access. While network techniques such as NAT can merge the history from multiple devices, the reality is that potential user profiles can still be readily created. If you consider that people often search for solutions to medical aliments from computers where they also search for benign information like restaurants and sports information, search history can be viewed as potentially identifiable and when collected at the network level, also something that a user can’t easily remove after the fact.”
Mackey expressed concern over the fact that exposure of an unsecured or weakly secured database on the internet is becoming commonplace, despite being eminently preventable through any number of monitoring and review processes. “As worrying as an unsecured database might be, an unsecured database with browser history or DNS lookups is particularly problematic.”
Thailand’s telecom regulator, the National Broadcasting and Telecommunications Commission (NBTC), has handed an official warning letter to a subsidiary of AIS, urging it to strictly ensure cybersecurity and data protection.
The warning was issued after Advanced Wireless Network Co (AWN), the operator of AIS’s licensed mobile business, was summoned by NBTC to explain the incident.
In light of this incident, Peter Bagge, Vice President, Asia Pacific, OpenText commented: “Beyond the financial harm and losses to any business, government or city hit by a cyberattack, brand and reputation are also likely to take a nose-dive.”
The question of whether a business or city adequately protected themselves from breaches comes into play, he said. “Did they take the right measures and planning? How will they recover and regain trust?”
Bagge advised: “You’ve got to protect every link in the chain if you want to stand a chance against cybercriminals. Having a strategic plan in place means you’re one step ahead of keeping out the bad guys and that you have the measures in place to return to business as usual once you get compromised.
“Be cyber resilient. Prepare for a cyberattack by getting the right tools in place to investigate and uncover weaknesses and vulnerabilities and make sure your team is trained and has the expertise to use those tools in the event of an emergency. It’s going to take more than just data security software to protect you from today’s hackers.”