Thailand boosts data protection following massive elderly PII leak

In a bid to combat personal data leaks, the Thai authorities pledged to strengthen protective measures. Next month, 85 organisations, each handling over 100,000 personal datasets, will face on-site audits. Half of these audits are expected to be completed by August, as confirmed by the Secretary-General of the National Cyber Security Agency (NCSA), Amorn Chomchoey.

A recent report from cybersecurity company Resecurity Inc. exposed cybercriminals for leaking large quantities of stolen personally identifiable information (PII) from Thailand on the dark web. A dataset labelled Thailand DOP.go.th Leaked was discovered on the site breachedforums. is. This dataset, primarily containing the PII of Thailand’s elderly population, is estimated to be around 690 megabytes, containing nearly 19.7 million rows of data, reported Bangkok Post.

Amorn clarified that the leaked information from the Department of Older Persons (DOP), although extensive, does not equate to 19 million users. Instead, the data breach comprises 19 million records of 230,451 individuals. The leaked information includes 108,000 names of elderly individuals who applied for DOP loans, with the remaining names being their guarantors.

Currently, the source of the leak is under investigation. However, it has been established that the DOP did not create the affected system, having outsourced its development to a third-party company, said Amorn.

“Developers must not use real data during system development until sufficient security is ensured.”

Amorn added that data processors accepting outsourced work could face charges under the Personal Data Protection Act (PDPA) if a data leak results from their development work.

Personal data

Amorn revealed plans for NCSA to collaborate with the Office of the Personal Data Protection Commission (PDPC) to audit organisations handling personal data of more than 100,000 people. Notably, organisations not listed as part of the critical infrastructure often experience data leaks, thus they will now be supervised under the Cybersecurity Act.

NCSA will supervise these organisations’ security measures, while the PDPC will confirm their compliance with the PDPA, particularly since some organisations share excess personal data on their websites without PDPA notification consent.

Amorn disclosed that NCSA identified more than 100 cybersecurity attacks on both public and private organisations last year. He announced plans to amend the Cybersecurity Act to implement stricter punishments for state agencies that allow data leaks due to weak security.

The Secretary-General of the PDPC, Siwarak Siwamoksatham, stated that organisations with personal data leaks resulting from their negligence will face serious penalties under the PDPA law. He further proposed increasing the punishment to a term of imprisonment of 5-10 years, a significant leap from the current one to two years.

Siwarak also revealed plans to amend the PDPA law to punish those who buy or sell personal data. This will also include a compensation clause for scam victims. Before these amendments can be implemented, a public hearing is required.

The PDPC has established a new committee investigating state agencies violating PDPA law. The Investigation and Governing Bureau and PDPC Eagle Eye Centre, NCSA and the CyberCrime Investigation Bureau have jointly investigated unauthorised trading of personal data, leading to the capture of nine suspects and the issuance of arrest warrants for two individuals.

Police Colonel Suraphong Plengkham, director of the bureau and Eagle Eye Centre mentioned that the centre discovered 5,869 organisations unnecessarily disseminating personal data on various websites from November 9 last year to February 8. These organisations have since been warned and informed of proper practices.