Thailand’s telecom regulator ordered True Move, the country’s second largest mobile operator, to determine the impact of a recent leak of users’ personal data and prepare to compensate those affected.

The call by the National Broadcasting and Telecommunication Commission (NBTC) followed a notice sent to True in March by Niall Merrigan, a Norway-based cybersecurity researcher, who said he accessed the data of 11,400 True customers’ data stored in iTruemart on Amazon Web Services, Bangkok Post reported.

NBTC is conducting a formal investigation into the data leak and is considering penalties, the newspaper said. Copies of the ID cards of the customers affected were made public.

True defended its security measures and said it took steps last week to protect its retail platform from future hacks.

Merrigan wrote in a blog “there was no security at all protecting the files… if you found the URL, you could download all their customers’ scanned details”.

Security experts said he used special tools to access the information.

Pakpong Pattanamas, deputy director for mobile business at True, said personal data on its online retail platform is not readily accessible to the general public, Bangkok Post reported. He said True is considering taking legal action against Merrigan for the hack.

NBTC plans to ask the country’s major mobile operators to clearly outline their data protection measures.