The National Cyber Security Agency (NCSA) has warned Thailand's logistics operators to strengthen their protection of customer data after finding one operator was hacked.
The hack prompted the agency to send a warning to all logistics firms to reinforce their cybersecurity systems, as the Personal Data Protection Commission investigates the incident.
According to AVM Amorn Chomchoey, secretary-general of NCSA, delivery operators store massive amounts of consumers' personal data given the popularity of e-commerce channels, mobile apps and delivery services.
The data includes the current address where each customer receives parcel deliveries, which is more important than the population registration data used by the Interior Ministry or Royal Thai Police, he said.
This type of data reveals the current location of the customer, including where they reside and what time of day they prefer to receive a parcel delivery at their address.
AVM Amorn did not disclose the name of the hacked company, but said the hack was related to an application programming interface (API), resulting in a leak of some customer data.
The hacked company has more than 10,000 outlets nationwide and its API system was determined to be weak, he said.
An API is a mechanism that enables two software components to communicate with each other.
NCSA is investigating the hack following a police investigation into the "Oreo" gang, which led to the information about the hack at the logistics firm.
Cyber-police specialists arrested a member of the gang following the release of violent video content showing acts of torture and other dehumanising acts.
The police said the suspect admitted the group tracked down and bullied other gamers who came into conflict with them.
The arrest was made after police investigated reports of an online assault against a rival gamer, along with allegations that members of the group used illegally obtained personal data to harass victims.
The arrested suspect told police the group hired a page administrator to acquire personal information of other gamers, including the details of two individuals.
The 16-year-old page administrator allegedly purchased key access of the related username and password from a 31-year-old man.
CLEAR GUIDELINES
AVM Amorn said NCSA provided guidelines to the country's logistic companies for handling sensitive information.
First, they must ensure strong password complexity and enable multi-factor authentication.
Second, they must implement protection from brute-force attacks and temporarily lock accounts after multiple failed login attempts.
Moreover, they should use encryption for API requests to prevent request interception.
They must also implement auditing functions to monitor database access via access logs, he said.
Furthermore, logistics firms must deploy anomaly detection to identify excessive data requests from a single account.
Finally, they should enhance security measures to comply with the personal data protection law, said AVM Amorn.