Cyber Incident Victim: 3BB
Date:
Nov 2020
Location:
Thailand
Summary
A Thai fixed broadband provider suffered a significant data breach by threat actor ALTDOS, resulting in the theft of approximately 8 million customer records containing sensitive personal and financial information, including names, ID card numbers, passwords, and bank details. After unsuccessful ransom negotiations, the attackers escalated by breaching a subsidiary, MONO, exfiltrating hundreds of gigabytes of corporate and employee data, including HR records and resumes with extensive personal details. ALTDOS increased their demand to $1.5 million and publicly leaked portions of the stolen data when the parent company downplayed the incident’s severity, criticizing the victim’s inadequate security controls and lack of timely communication. The breach exposed systemic vulnerabilities and raised potential regulatory concerns under Thailand’s data protection laws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ALTDOS threat actor group initiated a cyberattack against 3BB, a Thai fixed broadband provider and subsidiary of Jasmine International PLC, in November 2020. During this breach, ALTDOS exfiltrated approximately 8 million customer records containing personally identifiable information, including names, addresses, dates of birth, national ID card numbers, mobile numbers, email addresses, usernames, and passwords. The group also stole corporate financial records during this initial compromise. ALTDOS began ransom negotiations with Jasmine International on December 18, 2020, demanding $500,000 USD for the stolen data. When negotiations failed to produce payment, the threat actors escalated their campaign by breaching MONO Next Public Company, another Jasmine subsidiary, in December 2020. They compromised 12 of MONO's data servers, stealing hundreds of gigabytes of databases including complete human resources records containing employee family relationships, education histories, employment records, salary details, and over 20,000 employee resumes with additional sensitive personal data.
Following MONO's public statement on January 7, 2021, which attempted to minimize the breach's scope, ALTDOS retaliated by leaking portions of the stolen MONO data and increasing their ransom demand to $1.5 million USD. The threat actors specifically contested MONO's characterization of the stolen data, demonstrating through leaked samples that they possessed comprehensive financial records including bank account details, transaction histories, client payment records, and television advertising rate cards from 2014-2020. ALTDOS also breached 3BB's Wifi Hotspot servers on New Year's Day 2021, exfiltrating an additional 2.8 million user records. Throughout the campaign, ALTDOS employed a strategy of pre-attack warnings to demonstrate security vulnerabilities, claiming Jasmine's systems lacked basic firewall protections. The prolonged negotiations involved multiple company representatives and proposed payment structures, including installment plans and security consulting contracts, all of which ultimately collapsed. Thailand's Personal Data Protection Act requirements for breach notification within 72 hours created potential regulatory exposure, though implementation extensions may have delayed mandatory disclosures. The incident's progression from initial breach to multiple subsidiary compromises demonstrated how failed negotiations and public minimization attempts resulted in expanded data exfiltration, increased financial demands, and public exposure of sensitive corporate and customer information.