Thailand 106-million traveller database exposure
An unsecured Elasticsearch database left the passport numbers, visa data and arrival-card details of more than 106 million foreign visitors to Thailand openly accessible on the internet.
- Victim
- Royal Thai Government (immigration / arrival records)
- records
- 106.0M
- users
- 106.0M
In September 2021, researchers revealed that a database holding the personal records of more than 106 million foreign visitors to Thailand had been left completely unsecured on the public internet β no password, no firewall, indexed by a search engine and downloadable by anyone who found it.
What happened
On 22 August 2021, security researcher Bob Diachenko of Comparitech located an exposed Elasticsearch instance roughly 200GB in size. It had been indexed by the Censys search engine two days earlier, on 20 August. The database contained 106,000,000+ records of people who had entered Thailand, with dates ranging from 2011 to the present day.
Diachenko confirmed the data was genuine in the most direct way possible: he found his own arrival record in it from an earlier trip to the country.
What was exposed
Each record contained the kind of information collected on a Thai immigration arrival card:
- Full name
- Arrival date
- Gender
- Residency status
- Passport number
- Visa information and type
- Thai arrival-card number
Notably, no financial data (credit cards, bank details) was present, which limited the immediate fraud risk. But passport numbers, names and travel history are precisely the identifiers used for identity theft, document forgery and targeted phishing.
Response
Diachenko followed responsible-disclosure practice and alerted the Thai authorities on the day of discovery. Thai officials acknowledged the report on 23 August and secured the database the next day. The exposed instance was reportedly replaced with a honeypot to study any continued access attempts.
The Thai government maintained that no unauthorised third party had accessed the data before it was locked down β though, as is typical with open databases, the precise window of exposure before Diachenko's discovery could not be established with certainty.
Why it matters
The incident is a textbook example of breach-by-misconfiguration: there was no sophisticated intrusion, no malware and no ransom β simply a government-held dataset of national scale left open by default. Because the records reached back a decade, the exposure potentially affected any foreigner who travelled to Thailand since 2011, making it one of the largest known exposures of cross-border traveller data anywhere.
It underscored a recurring lesson for the public sector across Southeast Asia: large citizen and visitor datasets accumulate quietly, and a single mis-deployed search index can place tens of millions of people's identity documents within reach of anyone with a browser. The case also fed directly into Thailand's tightening enforcement of its Personal Data Protection Act (PDPA), which came into force in 2022.
Timeline
The 200GB Elasticsearch database is indexed by the Censys search engine, making it publicly discoverable.
Security researcher Bob Diachenko discovers the open database and finds his own travel record inside it.
Diachenko notifies the Thai authorities under responsible-disclosure protocol.
Thai authorities acknowledge the incident and secure the database the following day.
The exposure is publicly reported, covering records of more than 106 million visitors dating back to 2011.
Sources
- securityaffairs.comhttps://securityaffairs.com/122418/data-breach/thailand-visitors-leaked-online.html
- comparitech.comhttps://www.comparitech.com/blog/information-security/thai-traveler-data-leak/
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/data-of-106-million-visitors-to/
- bangkokpost.comhttps://www.bangkokpost.com/business/2185963/personal-data-of-106m-travellers-exposed-online
- theregister.comhttps://www.theregister.com/2021/09/21/thailand_traveler_info/