Cyber-attackers have stolen the data of 123,000 customers of Kasikornbank (KBank) and Krungthai Bank (KTB) in what appears to be the first massive data leak of local financial institutions.
The Bank of Thailand was told by both banks late last week about the leakage of their customers' non-financial data, said Ronadol Numnonda, the central bank's assistant governor for the supervision group.
He said no customers have reported financial losses so far.
KBank, the country's third-largest bank by assets, told the central bank that some of its corporate customer information had been leaked but it was all general data, while KTB said most of the leaked data involved lending applications from retail customers, though some of their corporate customer data was also stolen, Mr Ronadol said.
Both banks said the leaked information was not financial transaction data, adding that they had already stemmed unauthorised access, he said.
The banks have inspected all related systems and allowed experts to assess every operating system to ensure that everything is protected, Mr Ronadol said.
The Bank of Thailand has instructed the banks to tighten their cybersecurity systems, protect customers from the fallout and inform those whose information was leaked, he said.
The central bank also ordered KBank and KTB to prepare assistance measures in case damage crops up and informed other financial institutions to be more vigilant.
Chantavarn Sucharitakul, the Bank of Thailand's assistant governor for corporate strategy and relations group, said the central bank cannot identify whether the cyber-attacks were carried out by the same hacker. He said it would have to wait for the conclusion of an in-depth investigation outcome.
KBank president Pipit Aneaknithi said the bank on July 25 found that the names of 3,000 corporate customers using KBank's website to provide letters of guarantee might have been leaked.
"As soon as KBank detected this irregularity, we immediately closed the loophole and increased the level of data surveillance and protection to prevent a potential leak," he said. "The data that may have been leaked to the public concerns the names and telephone numbers of KBank's corporate customers using the online letter of guarantee service. This does not entail important information related to transactions or the financial data of those customers. Therefore, the data cannot be used for illegal purposes."
According to a preliminary investigation, no customers have suffered any damages as a result of the incident, the bank said, but KBank officials will monitor any customer account irregularities.
KBank said it plans to inform its corporate customers affected by the hack individually.
"If our customers notice anything suspicious in related transactions, KBank is ready to take responsibility and provide assistance," Mr Pipit said.
Meanwhile, Kasikorn Business Technology Group (KBTG) chairman Somkid Jiranuntarat said the attacks may have originated from outside of Thailand.
KTB president and chief executive Payong Srivanich said in a statement that the bank had detected that the general information from 120,000 retail clients who applied for mortgages and personal loans online, including 3,000 corporate customers, was hacked in the days leading up to the July holidays.
KTB, the country's fourth-largest lender by assets, said it is working with IT security firm Cyber Security & Digital Forensics to investigate the incident and upgrade its security system.
"The bank has strong investigation and tracking systems to regularly and continuously protect customer information," he said. "We admit that hackers' capabilities are growing and it is a challenge for the bank to improve its cybersecurity system -- an important task in digital age."
Prinya Homanake, secretary of the Thailand Security Information Association, said banks must look into their security systems because other banks may face similar attacks.
"We don't know how much information the hackers got, and they might post it online to damage the banks' reputations," he said. "So it's best for the victimised banks to share their vulnerabilities."
Bhume Bhumiratana, a cybersecurity commission member, said both cases showed that at least two banks have the ability to detect intrusions on their own, but less is known about the sophistication of the hackers.
The Bank of Thailand and those banks need to come up with a solid action plan to cope with the cybersecurity challenge, he said.
Mr Bhume added that banks also need to ensure they have proper auditing and protection systems, along with the ability to detect vulnerabilities and shore them up in real time.
Predee Daochai, chairman of the Thai Bankers' Association, said the association is monitoring the situation.