Organisations need to bolster their online defences as rising numbers of cyberattacks against the public and private sectors indicate that data leaks and digital threats will become ever more commonplace in the years to come, according to cybersecurity authorities.
At least 200 pieces of critical information infrastructure in seven sectors urgently need to adopt measures necessary to guard against cyberattacks, according to the National Cyber Security Agency (NCSA).
Several high-profile cyberattacks have been reported recently in Thailand, including ransomware targeting Saraburi Hospital in September last year, a data leak of more than 13 million customers from e-commerce platforms in November 2020, and cyberattacks on Bangkok Airways and AXA Insurance.
A recent case involved the Public Health Ministry in which a user on raidforums.com claimed to have 16 million hacked records of patients' data to sell. Authorities indicated that the data of 10,000 patients from Phetchabun Hospital was leaked in this case.
Meanwhile, several media outlets reported on Tuesday that the data records of some 30 million people in Thailand, including their national identity numbers, telephone numbers, addresses and birth dates, had been hacked. The data was being offered for sale through a website. Authorities said they were investigating the report.
TRIPLE EXTORTION
Prinya Hom-anek, a board member of the National Cybersecurity Committee, told the Bangkok Post that cyberattacks will become commonplace and it is very hard to 100% defend against the attacks.
He also described "triple extortion" steps carried out by attackers against victims.
The first starts with hackers placing restrictions on data access by encrypting files and asking for a ransom payment for a key to unlock it.
If victims have backup data and refuse to pay, the attackers will proceed to the second step by threatening to release the victims' sensitive data to the public.
If victims still refuse to pay, the attackers will exploit the leaked data of these victims' customers, including by swindling them out of money through 'social engineering attacks'. In this scenario, hacked organisations could be sued by data owners for the data breach.
"We have seen data leakage since 2017 with data sales through the dark web. But now attackers can make data sales through open public websites like raidforums.com," said Mr Prinya.
Its sluggish economy has now turned Eastern Europe into a hotbed of hackers.
"It is hard to prevent the attacks and we are likely to see more data leakage that happens on a daily basis. It is also hard to trace and catch the hackers but we can minimise risks," Mr Prinya added.
Organisations need data governance, encryption and pseudonymisation to help themselves minimise the chances of being hacked, he said.
"This is not a simple task as it requires the overhauling of data structure and programming, which requires critical budget," said Mr Prinya. "We will also see more related assistance services coming out, such as cyberinsurance, cyber-risk assessment and crisis communication services."
According to Mr Prinya, people who know their data has been leaked must quickly change their passwords.
HOSPITAL DATA BREACH
Gp Capt Amorn Chomchoey, acting deputy secretary general of the NCSA, told the Bangkok Post that his agency was part of the data breach investigation at Phetchabun Hospital.
The leak, he said, happened with its internal system, where the data of 30 physicians and 10,000 patients was stolen. This was based on 16 million records of data taken by hackers who tried to sell it on raidforums.com.
Gp Capt Amorn said that in November the NCSA will announce three subordinate laws under the Cybersecurity Act, which will indicate the number of critical information infrastructures and sectors that fall into this act and require strong protection, along with baseline security measures needed to protect the system and the types of data which require compliance.
He said there were at least seven sectors and more than 200 critical information infrastructures from both public and private sectors that must comply with this act within a year after the implementation of the three subordinate laws.
According to Gp Capt Amorn, the NCSA will conduct cybersecurity training for at least 2,250 people, including staff dealing with critical information as well as students in secondary schools and universities.
The agency also plans to conduct a national cyberdefence exercise, demanding those dealing with critical information assess risks and respond to incidents.
Gp Capt Amorn said decision makers need to thoroughly consider security protection in every dimension of new systems, and organisations need to have proper processes, people and technology for cybersecurity.
They need to identify and detect risks fast as well as respond effectively to the incidents, he said.