Data leak on vaccine registration website for foreigners in Thailand — exposes users personal information

Expat blogger Richard Barrow exposed a data leak on the Covid-19 vaccination registration website for foreigners in Thailand yesterday.

According to Barrow, the leak allowed anyone to view the personal information of any foreigner who has registered for a Covid-19 vaccination in Thailand.

This included their names, locations and passport numbers.

The leak appeared when Barrow clicked on the ‘edit’ button and a name with all its personal information attached appeared in the information boxes.

Barrow immediately tweeted a warning on Twitter that any other foreigner planning on registering on Thailand Intervac their personal information should be aware their personal info could be immediately available for other people to access.

“URGENT WARNING: If you are using the thailandintervac.com website to register for a vaccine appointment, please be aware ALL your personal details are freely available.”

He then posted evidence on his Twitter account showing the edited names of several users that had previously registered on Thailand Intervac. (see graphic above)

 

In a lengthy message to Barrow soon after, the Department of Disease Control Office of International Cooperation director Soawapak Hinjoy explained why the data leak had occurred.

First, we apologize for this issue that has occurred.

Secondly, these are messages which we would like to inform/explain on this issue:

  • In urgent circumstances, the DDC needs to develop the website to support the vaccines for foreigners living in Thailand. It’s to meet the needs of a large number of individuals in the equality and prioritization group.
  • In the late afternoon, it was necessary to increase the number of seats for foreigners in order to book the vaccines in the near future. Team development has been revised a coding system during website operation. This means the website was in the process of improving and revising at the same time. The problem then arose.
  • The problem had been identified and occurred for 10 minutes. A person who could see other last registrants was the person clicking on the non-general portal of the page. Another reason is that this individual entered the page and opened it until the session expired. The website control system was erroneous. If people make the request normally, they cannot see the list of other people enrolled. Nevertheless, the development of the team has already solved the problem.

In a follow up tweet, Richard Barrow commented:

I think it’s obvious to everyone that the data breach went beyond 10 minutes. In fact, several people brought to my attention that you could access private information of others last week. Also @iamKohChang claimed there was a way to view information from anyone in the database.

Minutes later, he followed up with a second tweet saying:

The government has never been good with online services. Just ask any foreigner who has struggled with 90 day reporting. Then there are the numerous failures of the covid apps. Maybe one day they will hire professionals. If restaurants can produce working apps, why can’t they?

Problems with government websites in Thailand are not unusual.

Five years ago, a data leak occurred on a website being developed for use by the Thai government. The test website exposed the data of more than 2,000 foreigners living in southern Thailand.

Only a few days later, a second data leak on a Thai website was discovered on a website owned by Thailand’s Bureau of General Communicable Diseases.

That data breach leaked foreigner’s most recent vaccine shots, names, nationalities, passport and flight numbers, and addresses in Thailand.