Indonesian Phone and Content Provider Tri.co.id Leaks Millions of Records Online

On December 1st 2018 Bob Diachenko found a misconfigured database that has publicly exposed millions of user contacts, SMS, and call records that appear to belong to Tri.co.id. With over 260 million total records this is a massive discovery, but what is worse is that the database is still unsecured and publicly accessible. Tri or “3” is a GSM (Global System for Mobile communications) operator and mobile internet service provider and is a division of Hong Kong-based multinational conglomerate CK Hutchison Holdings.

Language barrier and email security

We contacted them the same day as the discovery and followed up for 20 days since a data leak notification email was first sent. Multiple calls to their support went nowhere. Finding someone who could speak English was difficult and then they could not give us any additional contacts once we reached them. Jeremiah Fowler of SecurityDiscovery.com even reached out to their parent company CK Hutchison Holdings but discovered that their email security system rejects hyperlinks and attachments. Without proof they likely ignored the notices as just another SPAM message. In this case strong email security methods actually blocked the data leak notifications.

Type of breach:

IP: An ElasticSearch incident was misconfigured to allow anyone access to millions of records with no password protection.

Type of data leaking:

  • User SMS (91,395,499)
  • User Contacts (65,089,606)
  • User Call records (102,839,952)

 

 

 

Click to view full size

One Month Later.

Usually we do not disclose or report on data breaches until they have been secured and sensitive data is no longer publicly accessible. After many attempts we had exhausted our notification process. Somehow by Jan 11th it seems that they finally got our messages or someone else alerted them to this massive exposure of their customers and the data is no longer accessible.

CK Hutchison Holdings provides mobile telecommunications services in Indonesia, Vietnam, Sri Lanka, Australia, Austria, Denmark, Hong Kong, Ireland, Italy, Macau, Sweden and the United Kingdom.

About the Author

Bob Diachenko
I'm Bob Diachenko, I am Cyber Threat Intelligence Director and journalist at SecurityDiscovery.com. My goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of my discoveries have been covered in major news and technology media, earning myself a reputation as one of the reputable data security analytics. Contact me: bob(at)securitydiscovery.com