From the frying pan into the fire: Thai business angers hackers

DataBreaches.net seems to be the only site willing to report on certain breaches in Thailand these days.  First it was the hack of  Country Group Securities (CGSEC) by hackers calling themselves ALTDOS. And now this week,  this site reported a second attack by the same threat actors that involved MONO Next Public Company.

As previously reported, when asked for a response to the attack on MONO, the company sent a statement. That statement seems to have irritated the threat actors who provided DataBreaches.net with a statement responding to it and more data as proof.

Based on the new information provided to DataBreaches.net, it appears that MONO, which is one of a number of Jasmine International PLC subsidiaries, was not their initial target. ALTDOS attacked MONO when negotiations with Jasmine following an attack on another subsidiary, 3BB, failed to produce payment. 3BB was attacked in November.

3BB is a fixed broadband service provider with millions of  customers. ALTDOS claims that they eventually acquired 8 million records with user information (name, address, date of birth, ID card number, mobile number, email address, username, password, etc.) and other corporate records. As proof of claim, ALTDOS provided DataBreaches.net with screenshots but also files with customer data, including one spreadsheet with 10,000 customer records.

Folders with user data
3BB user data was acquired by ALTDOS. Image: provided.
3BB user data
3BB user records. Redacted by DataBreaches.net.

ALTDOS began negotiations on December 18, 2020. They claim that when Jasmine would not pay their $500,000 demand after the 3BB breach, they hacked into 12 of MONO’s data servers and stole hundreds of gigabytes of databases. Their hope was to “force their management into a proper negotiation with ALTDOS.”

Management replied on December 26, asking for more time, they claim. But after that, ALTDOS didn’t hear from the representative again, and so on New Year’s day, ALTDOS breached  3BB’s Wifi Hotspot servers and stole over 2.8 million user records. A file with more than 83,000 records was provided to DataBreaches.net as proof.

Following the attack on the Wifi Hotspot servers, management sent a new representative to start or restart negotiations with them.

“Their management proposed to pay us 1/3 of the demanded amount and hire ALTDOS as their security consultant over the next 2 years with 2/3 of the balance amount,”  an ALTDOS spokesperson claims, adding that ALTDOS refused their proposal and negotiated an 8-week installment plan for payment.

The negotiations began to fail when a few senior executives reportedly refused to agree to the installment payment plan. On January 7, ALTDOS leaked some MONO data.

It might have stayed at that leak level, except that Mono issued their press release and the statement angered the threat actors.  They wrote to DataBreaches.net:

ALTDOS is seriously insulted by their management statement which seem to undermine our expertise, and so here are the facts:

ALTDOS did not steal some of their employee records. We stole all of their employee records. The stolen information contains more than just name and age. The HR databases contain everything related to each employee, including their father, mother, brother, sister, education, previous employment, salary amount and a lot more.

As partial proof, they sent DataBreaches.net data from a MONO Human Resources. There were more than 2,900 records with numerous populated fields:



There were so many fields in the HR file that it took three screenshots to capture all the fields. ALTDOS indicated that sql databases were being converted to .csv format. Redacted by DataBreaches.net.

ALTDOS also provided DataBreaches.net with an employee resume file from MONO that had numerous personal and sensitive data fields and almost 20,000 records. DataBreaches.net is merely listing all the fields:

Hackers acquired employee resume data that contained personal and sensitive information.

But the press release trying to downplay the amount of employee data stolen was not ALTDOS’s only objection to the firm’s press release (which was quoted in the update to this post). They continued responding to the firm’s claims:

  • ALTDOS did not steal some of their online customer information. We stole more than 8 million of their user’s sensitive information.
  • The stolen corporate financial records are not those publicly available records. ALTDOS stole financial records ranging from bank account details, bank transfer, payment transaction records to their clients’ payment history. Eg, ALTDOS knows their exact charges for different advertisers at different time intervals of the day for various 30 seconds time slots on their TV channels from 2014 to 2020. We even know the balance in each of their bank accounts in different banks on different days throughout the 6 years.
  • Their statement says that they have a security system in place. Well, ALTDOS stole tons of their data for almost 2 months without red flags. There isn’t even a firewall installed to prevent simple attacks.

There was more to their statement but readers probably already have the gist of it all. One specific criticism by ALTDOS was a bit surprising:

The fact is ALTDOS warned them via email every time before our attacks, mentioning the time or the target of attack, yet ALTDOS manages to breach in each attacks. There is no more preventative management.

Jasmine’s communication person was sent inquiries to follow up on their first press release and then a second inquiry about ALTDOS’s updated claims, but no response has been received to either inquiry by time of this publication.

Jasmine and CGSEC both appear to have been somewhat successful in Thailand in terms of getting news outlets not to report on their respective attacks, but they still may have to disclose it all because notification following a breach is covered by Thailand’s data protection law.  Linklaters cites the relevant provision of law this way:

Notice of breach laws

If there is a breach of personal data, the controller must notify the Office of the Committee without delay and within 72 hours of identifying the breach, unless it poses no risks to the rights and freedom of an individual.

If the breach poses a high risk to the rights and freedom of an individual, the controller shall notify such breach to the individual without delay together with remedial guidelines.

processor must inform the relevant controller if there is a data breach.

It is not known to DataBreaches.net whether 3BB and MONO have notified any employees and consumers (both of whom, it seems, may be considered “data subjects”), but DataBreaches.net did not find any notifications or statements online.  Nor is it known if the firms have notified the data protection commissioner’s office within 72 hours.  Update: It appears the government gave some classes of entities an extension until later this year to comply so these firms may not be obligated to notify at this time. They are, however, still responsible for having basic data security controls and measures in place.

In this case, management may be particularly motivated to suppress any possible bad publicity as they had a scandal in October, 2019  when Jasmine’s CEO and Director Pete Bodharamik (who was also Chairman of the Board of MONO) was fined by the Securities and Exchange Commission for insider trading. Would exposure of  multiple hacks of consumer and employee data lead to regulator scrutiny and/or investor jitters?

But apart from regulatory and investor concerns, Jasmine’s negotiation strategy and incident response appear to be backfiring. Not only did their strategy result in ALTDOS launching further attacks and data exfiltration to motivate them to negotiate, but ALTDOS raised their demand to $1.5 million after getting additional 3BB data in a second hack plus the MONO data. And of course, ALTDOS has now publicly revealed more than they had intended to.

In the U.S., large firms with resources generally retain outside counsel and hire firms that specialize in negotiating with threat actors if the firm is willing to negotiate or discuss a payment. It may be different in Thailand, but counting on suppression of news reporting and/or minimizing an attack are generally not  winning strategies.

Perhaps the one ray of good news for Thai entities is that ALTDOS may be turning away from them as targets because of the difficulties they experience with the language.

ALTDOS is definitely avoiding non-english language countries for the moment. The language barrier poses a huge barrier both during attacks as well as  during negotiation. During attacks, ALTDOS has to make sense out of their language internally by using translator software and this increases the effort and time required to breach a target.

About the author: Dissent

2 comments to “From the frying pan into the fire: Thai business angers hackers”

You can leave a reply or Trackback this post.
  1. Gary Smithson - January 13, 2021 Reply

    Thai companies like 3BB don’t care much about data breaches as it would be almost impossible for any ordinary citizen whose data was stolen and who suffered financial loss as a result of their alleged negligence to gain any form of financial redress before the Thai courts.

    • Dissent - January 13, 2021 Reply

      That’s discouraging, but maybe when consequences go into effect later this year, companies may care a bit more. A fine equivalent to USD $150,000.00 isn’t much for a big corporation, and the criminal penalties don’t seem to apply to anything other than intentional breaches/disclosures, but maybe if the public starts complaining to the regulator and the regulator publishes findings, companies will care more about the bad press they may get.

      In any event, I will continue to report breaches to inform the public when their data has been stolen and likely dumped.

Leave a Reply

Your email address will not be published.Email address is required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.