Data breach of over 20,000 Senate applicants investigated

A major data breach involving personal information from over 20,000 applicants for the Senate election is under investigation by the Election Commission (EC) of Thailand. The leak occurred soon after the district-level voting on June 9.

EC Secretary-General Sawaeng Boonmee confirmed that the data was compromised through file formats integrated into the system by an unidentified agency. The EC is collaborating with the National Cyber Security Agency (NCSA) to prevent further breaches and trace the source of the leak.

“The data was leaked from an agency that put it into the system. We are working with the National Cyber Security Agency [NCSA] to prevent further data breaches leaking confidential information of applicants, said Sawaeng.

“We are also investigating an agency where some officials may have leaked the data. The name of the agency will not be disclosed because the agency itself may have known nothing about the leaks. Moreover, the agency cooperated with and supported the EC in the district-level Senate election.”

NCSA’s Secretary-General, Air Vice Marshal Amorn Chomchoey mentioned that both agencies have implemented security measures to safeguard the database of applicants’ personal information since the general election last year. An internal investigation is underway to determine if officials within the agency caused the leak.

On Wednesday, Senate election candidates Kengkaj Kupakrapinyo and Wanna Horkanya filed a complaint with the EC, urging an investigation into the data breach.

Major leak

Wanna pointed out that the personal data of more than 23,000 applicants, including their 13-digit ID card numbers, was leaked and circulated in chat groups on the Line application shortly after voting concluded. This breach violates the Personal Data Protection Act. Wanna criticised the format in which candidate data was stored.

“The data was stored in Excel file format, which all candidates in the district-level vote could access. If the personal data falls into the hands of criminals, this will cause damage to the applicants.”

He also requested the Office of the Personal Data Protection Commission (PDPC) under the Ministry of Digital Economy and Society to investigate.

The PDPC responded yesterday, asking the EC to clarify the issue and urging recipients of the leaked data to cease sharing it. The office is monitoring the situation and plans to enhance measures to protect personal information.

Meanwhile, Sawaeng disclosed that the EC has not yet prepared a contingency plan for potential issues arising from the Constitutional Court’s upcoming ruling on the legality of four contentious provisions in the Senate election law, scheduled for next Tuesday.

The controversy centres on Sections 36, 40(3), 41(3) and 42(3) of the Senate election law. Section 36 pertains to the self-introduction of candidates, while the other sections address voting procedures at district, provincial, and national levels.

Upcoming ruling

The Constitutional Court announced it had sufficient information to issue a ruling next Tuesday. Regardless, the EC plans to proceed with provincial-level voting for the Senate election on Sunday, narrowing down the 23,645 candidates to about 3,000 for the final vote.

The court accepted petitions from Senate election candidates on June 5, questioning the legality of the four provisions. However, it did not issue any injunction, indicating no immediate serious repercussions from continuing with the Senate poll. The court also noted that the EC has the authority to intervene if necessary to prevent any issues, reported Bangkok Post.