The telecom regulator on Wednesday ordered True Move H to take full responsibility for the data leak of 11,400 customers' personal information.
The responsibility covers both civil and criminal proceedings the company may have to resolve, including paying proper compensation to affected customers, according to Section 64 of the Telecom Business Act of the National Broadcasting and Telecommunications Commission (NBTC) covering customer protection.
More importantly, True Move H must improve its data security system for customers' personal data to meet higher risk, and the system will need the participation of experts to ensure and monitor security measurement.
NBTC secretary-general Takorn Tantasith said the regulator also ordered the company to set up a free channel for affected customers to see what damage they may face.
True Move H must report the results to the NBTC within seven days to affirm that the company has complied, and it has to provide updates on the situation to the NBTC every 15 days.
Failure to comply with the order may result in True Move H being fined 20,000 baht a day, according to Section 66 of the Telecom Business Act.
Mr Takorn said True Move H can disagree with the NBTC's order, but the company must file a complaint with the NBTC Office within 15 days of receiving the NBTC's order.
But Mr Takorn said the NBTC has yet to consider any punishment or fine for the company.
The regulator has to collect all related information and submit it the NBTC board for consideration.
"The administrative order yesterday made by the NBTC office is an urgent measure to handle the case, while any penalty will be decided upon by the NBTC board," Mr Takorn said.
He said the regulator needs to protect customers, despite criticism that the move came late.
Mr Takorn insisted that the administrative order came one day after the meeting with executives of True Move H on Tuesday.
Previously, True Move H admitted that the personal data of 11,400 users, including scanned images of ID cards stored by e-commerce channel iTruemart, were leaked. The data was stored by iTruemart on Amazon Web Services' cloud storage S3 bucket.