State agencies have vowed to tighten measures to tackle personal data leaks, promising heavier penalties and beginning on-site audits next month of 85 organisations that have 100,000 personal datasets or more.
Roughly half of the 85 organisations are expected to be audited by August, said AVM Amorn Chomchoey, secretary-general of the National Cyber Security Agency (NCSA).
According to cybersecurity firm Resecurity Inc, a report found cybercriminals leaked massive volumes of stolen personally identifiable information (PII) from Thailand on the dark web.
One dataset was uncovered on the site breachedforums.is, labelled "Thailand DOP.go.th Leaked". This set consists of PII of primarily elderly people in Thailand.
The firm said it is a substantial collection, around 690 megabytes in size, containing a whopping 19.7 million rows of data.
DOP refers to the Department of Older Persons (DOP).
AVM Amorn told the Bangkok Post the agency found the DOP leakage and clarified it includes 19 million records of 230,451 persons, not 19 million users.
The leak shows 108,000 names of older persons who requested DOP loans, with the other names their guarantors, said NCSA.
"We are investigating how the leak occurred, but found the DOP did not develop the related system, outsourcing the work for a firm to develop," he said.
Developers must not use real data during system development until sufficient security is ensured, said AVM Amorn.
"In general, data processors accepting outsourced work could be charged under the Personal Data Protection Act [PDPA] if a data leak results from their development work. They need to ensure security," he said.
AVM Amorn said NCSA will join forces with the Office of the Personal Data Protection Commission (PDPC) to audit 85 organisations that have personal data of more than 100,000 people.
"We've found organisations that are not listed as part of critical infrastructure often have data leaks. They will be supervised under the Cybersecurity Act," he said.
NCSA will oversee the security measures of these organisations and PDPC will verify their compliance with the PDPA as some share too much personal data on their websites without PDPA notification consent, said AVM Amorn.
"We will ask them to do self-assessment to check their security requirements and PDPA compliance," he said.
Last year, NCSA found more than 100 cybersecurity attacks at both public and private organisations.
"We plan to amend the Cybersecurity Act to add stronger punishment for state agencies that allow data leaks because of weak security," said AVM Amorn.
Siwarak Siwamoksatham, secretary-general of the PDPC, told the Bangkok Post the past few years the committee only sent warnings to organisations that had personal data leaks.
This year the committee will seriously punish organisations with personal data leaks caused by their careless or inadvertent actions, following PDPA law, he said.
"We plan to amend the PDPA law this year to add punishment for those who sell or purchase personal data," said Mr Siwarak.
He said the punishment should be increased to imprisonment for 5-10 years, up from a current average of 1-2 years.
"During the past four months, there have been cases where the court sentenced offenders to two years in prison without probation," said Mr Siwarak.
Call centre scams have greatly damaged the economy and society, with authorities investigating those providing the personal data to the scammers.
He said next year the committee plans to amend the PDPA law by adding a compensation clause for scam victims.
This amendment first requires a public hearing, said Mr Siwarak.
Recently the PDPC established a new committee to investigate state agencies that violate PDPA law to enforce the law, he said.
In a related matter, the Investigation and Governing Bureau and PDPC Eagle Eye Centre, NCSA and the CyberCrime Investigation Bureau investigated unauthorised trading of personal data, resulting in the apprehension of nine suspects.
Arrest warrants were issued for two more individuals.
Pol Col Suraphong Plengkham, director of the bureau and Eagle Eye Centre, said from Nov 9, 2023 to Feb 8, the centre discovered the unnecessary dissemination of personal data on websites of various agencies, totalling 5,869 organisations.
These organisations were warned and informed of proper practices, he said.