The Lizard Squad, a black-hat hacker group, says it has successfully cracked The Mall Group's M Card database and is demanding a ransom not to release customer data.
It marks the first time the global collective has made an attack on a commercial business in Thailand.
On Wednesday, the Bangkok Post received an email from the Lizard Squad, saying it had breached the weak defences of M Card Mall, a rewards programme that serves customers at various popular shopping malls.
The group said it downloaded thousands of customer data records including passwords and details about customers' employment and families.
The Lizard Squad is threatening to disclose the data to its followers if The Mall Group and business ally Siam Piwat refuse to pay a ransom.
An executive at The Mall Group said the website in question, www.mcardmall.com, was attacked by the Lizard Squad but has been closed since 2013.
The site was used to promote the M Card's image and did not contain important database information, the executive said.
The customer database on the defunct website is old, the group said, adding that it would consider informing its customers soon.
"We won't pay to meet the hackers' demands and will formally inform the Thailand Computer Emergency Response Team (ThaiCert) about our case soon," the executive said.
The Mall Group's IT department has already stepped up defence systems for its other websites.
A 2013 security report by British-based SophosLabs identified Thailand as the third-riskiest country for cybersecurity in Asean. Many state agencies' websites have been attacked recently.
The Lizard Squad is known for its many distributed denial-of-service attacks aimed primarily at gaming-related businesses. It claimed responsibility for the Christmas strikes on Microsoft's Xbox Live and Sony's PlayStation Network last year.
This year, the group took credit for a Facebook outage it said demonstrated an ability to bring down the social network's global service.
Facebook denied that the outage had anything to do with the Lizard Squad.
Chaichana Mitrpant, deputy executive director of the Electronic Transactions Development Agency, which oversees ThaiCert, said the Lizard Squad might be using SQL injection techniques.
Such techniques exploit security flaws in a database application's software.