DataBreaches.net seems to be the only site willing to report on certain breaches in Thailand these days. First it was the hack of Country Group Securities (CGSEC) by hackers calling themselves ALTDOS. And now this week, this site reported a second attack by the same threat actors that involved MONO Next Public Company.
As previously reported, when asked for a response to the attack on MONO, the company sent a statement. That statement seems to have irritated the threat actors who provided DataBreaches.net with a statement responding to it and more data as proof.
Based on the new information provided to DataBreaches.net, it appears that MONO, which is one of a number of Jasmine International PLC subsidiaries, was not their initial target. ALTDOS attacked MONO when negotiations with Jasmine following an attack on another subsidiary, 3BB, failed to produce payment. 3BB was attacked in November.
3BB is a fixed broadband service provider with millions of customers. ALTDOS claims that they eventually acquired 8 million records with user information (name, address, date of birth, ID card number, mobile number, email address, username, password, etc.) and other corporate records. As proof of claim, ALTDOS provided DataBreaches.net with screenshots but also files with customer data, including one spreadsheet with 10,000 customer records.
ALTDOS began negotiations on December 18, 2020. They claim that when Jasmine would not pay their $500,000 demand after the 3BB breach, they hacked into 12 of MONO’s data servers and stole hundreds of gigabytes of databases. Their hope was to “force their management into a proper negotiation with ALTDOS.”
Management replied on December 26, asking for more time, they claim. But after that, ALTDOS didn’t hear from the representative again, and so on New Year’s day, ALTDOS breached 3BB’s Wifi Hotspot servers and stole over 2.8 million user records. A file with more than 83,000 records was provided to DataBreaches.net as proof.
Following the attack on the Wifi Hotspot servers, management sent a new representative to start or restart negotiations with them.
“Their management proposed to pay us 1/3 of the demanded amount and hire ALTDOS as their security consultant over the next 2 years with 2/3 of the balance amount,” an ALTDOS spokesperson claims, adding that ALTDOS refused their proposal and negotiated an 8-week installment plan for payment.
The negotiations began to fail when a few senior executives reportedly refused to agree to the installment payment plan. On January 7, ALTDOS leaked some MONO data.
It might have stayed at that leak level, except that Mono issued their press release and the statement angered the threat actors. They wrote to DataBreaches.net:
ALTDOS is seriously insulted by their management statement which seem to undermine our expertise, and so here are the facts:
ALTDOS did not steal some of their employee records. We stole all of their employee records. The stolen information contains more than just name and age. The HR databases contain everything related to each employee, including their father, mother, brother, sister, education, previous employment, salary amount and a lot more.
As partial proof, they sent DataBreaches.net data from a MONO Human Resources. There were more than 2,900 records with numerous populated fields:
There were so many fields in the HR file that it took three screenshots to capture all the fields. ALTDOS indicated that sql databases were being converted to .csv format. Redacted by DataBreaches.net.
ALTDOS also provided DataBreaches.net with an employee resume file from MONO that had numerous personal and sensitive data fields and almost 20,000 records. DataBreaches.net is merely listing all the fields:
But the press release trying to downplay the amount of employee data stolen was not ALTDOS’s only objection to the firm’s press release (which was quoted in the update to this post). They continued responding to the firm’s claims:
- ALTDOS did not steal some of their online customer information. We stole more than 8 million of their user’s sensitive information.
- The stolen corporate financial records are not those publicly available records. ALTDOS stole financial records ranging from bank account details, bank transfer, payment transaction records to their clients’ payment history. Eg, ALTDOS knows their exact charges for different advertisers at different time intervals of the day for various 30 seconds time slots on their TV channels from 2014 to 2020. We even know the balance in each of their bank accounts in different banks on different days throughout the 6 years.
- Their statement says that they have a security system in place. Well, ALTDOS stole tons of their data for almost 2 months without red flags. There isn’t even a firewall installed to prevent simple attacks.
There was more to their statement but readers probably already have the gist of it all. One specific criticism by ALTDOS was a bit surprising:
The fact is ALTDOS warned them via email every time before our attacks, mentioning the time or the target of attack, yet ALTDOS manages to breach in each attacks. There is no more preventative management.
Jasmine’s communication person was sent inquiries to follow up on their first press release and then a second inquiry about ALTDOS’s updated claims, but no response has been received to either inquiry by time of this publication.
Jasmine and CGSEC both appear to have been somewhat successful in Thailand in terms of getting news outlets not to report on their respective attacks, but they still may have to disclose it all because notification following a breach is covered by Thailand’s data protection law. Linklaters cites the relevant provision of law this way:
Notice of breach laws
If there is a breach of personal data, the controller must notify the Office of the Committee without delay and within 72 hours of identifying the breach, unless it poses no risks to the rights and freedom of an individual.
If the breach poses a high risk to the rights and freedom of an individual, the controller shall notify such breach to the individual without delay together with remedial guidelines.
A processor must inform the relevant controller if there is a data breach.
It is not known to DataBreaches.net whether 3BB and MONO have notified any employees and consumers (both of whom, it seems, may be considered “data subjects”), but DataBreaches.net did not find any notifications or statements online. Nor is it known if the firms have notified the data protection commissioner’s office within 72 hours. Update: It appears the government gave some classes of entities an extension until later this year to comply so these firms may not be obligated to notify at this time. They are, however, still responsible for having basic data security controls and measures in place.
In this case, management may be particularly motivated to suppress any possible bad publicity as they had a scandal in October, 2019 when Jasmine’s CEO and Director Pete Bodharamik (who was also Chairman of the Board of MONO) was fined by the Securities and Exchange Commission for insider trading. Would exposure of multiple hacks of consumer and employee data lead to regulator scrutiny and/or investor jitters?
But apart from regulatory and investor concerns, Jasmine’s negotiation strategy and incident response appear to be backfiring. Not only did their strategy result in ALTDOS launching further attacks and data exfiltration to motivate them to negotiate, but ALTDOS raised their demand to $1.5 million after getting additional 3BB data in a second hack plus the MONO data. And of course, ALTDOS has now publicly revealed more than they had intended to.
In the U.S., large firms with resources generally retain outside counsel and hire firms that specialize in negotiating with threat actors if the firm is willing to negotiate or discuss a payment. It may be different in Thailand, but counting on suppression of news reporting and/or minimizing an attack are generally not winning strategies.
Perhaps the one ray of good news for Thai entities is that ALTDOS may be turning away from them as targets because of the difficulties they experience with the language.
ALTDOS is definitely avoiding non-english language countries for the moment. The language barrier poses a huge barrier both during attacks as well as during negotiation. During attacks, ALTDOS has to make sense out of their language internally by using translator software and this increases the effort and time required to breach a target.
Thai companies like 3BB don’t care much about data breaches as it would be almost impossible for any ordinary citizen whose data was stolen and who suffered financial loss as a result of their alleged negligence to gain any form of financial redress before the Thai courts.
That’s discouraging, but maybe when consequences go into effect later this year, companies may care a bit more. A fine equivalent to USD $150,000.00 isn’t much for a big corporation, and the criminal penalties don’t seem to apply to anything other than intentional breaches/disclosures, but maybe if the public starts complaining to the regulator and the regulator publishes findings, companies will care more about the bad press they may get.
In any event, I will continue to report breaches to inform the public when their data has been stolen and likely dumped.