TrueMove H, the mobile phone arm of Thailand’s largest pay-TV operator True Corp., has exposed data, including that of tourists, in the latest Amazon Web Services S3 misconfiguration story.

Fortunately, the breach wasn’t in great numbers. The data exposure, discovered by cybersecurity researcher Niall Merrigan, involved 32 gigabytes of data and about 46,000 customer records.

But unique among the countless companies that have exposed data before on AWS, the data primarily consisted of scans of identity documents, specifically Thai ID cards, drivers licenses and foreign passports.

There’s no suggestion so far that the data was stolen, but Merrigan said in his blog post Friday that he informed True on March 10 that the data was exposed on a public S3 instance. However, True did nothing to make the data private until April 12.

“The response was quite shocking,” he wrote. “They admitted not having a security department and that I should contact their head office between business hours.”

Thailand remains one of the world’s most popular tourist destinations, with 35.3 million foreign visitors in 2017. Tourists are offered SIM card services on arrival, with True Move often the first card offered even before leaving customs.

True is not the first and most likely will not be the last company to upload data to an AWS S3 instance with the settings set to public.

Last year’s prominent cases included Accenture PLC, U.S. Army Intelligence and Security Command, Verizon Communications Inc. and the U.S. military contractor TigerSwan. This year, known AWS S3 data exposures included FedEx Corp., and Octoly and others.

True hasn’t denied the data exposure but has instead insisted that despite Merrigan finding passport information, the data only related to its iTrueMart online e-commerce site.

Image: TrueMove H