The much needed Personal Data Protection Act -- which has been delayed for two years -- will be mandated by June. It's part of the government's pledge to boost cyber security in Thailand but a large theft of data from the Thai University Central Admission System (TCAS) earlier this month has done little to inspire confidence that authorities will actually get on top of this growing threat anytime soon.
Through this latest embarrassing cyber theft, the personal information of over 23,000 students who took part in last year's university entrance examinations was taken and sold on the internet by hackers.
The stolen information is part of 826,250 files in the TCAS database.
The incident is another reminder of government failure to deal with cyber-security threats.
Last year, a number of state hospitals -- one of the largest public database storage areas -- were attacked by hackers.
State-run Phetchabun Hospital in September saw data on more than 10,000 patients stolen.
In the same month, another hacker managed to block Saraburi Hospital from accessing patients' medical records and shut down the hospital's phone lines. The attacker demanded the hospital pay 63 billion baht in Bitcoin.
A month later, it was found that someone on the dark web was selling the data of 100,000 people from 11 hospitals nationwide.
Cyber theft in e-commerce and fintech has proven to be even more brazen.
Last October, the Bank of Thailand (BoT) admitted that unauthorised online withdrawals of 130 million baht were made from over 10,000 debit and credit card accounts from Oct 1-16.
Be it about these examples or others, pledges from the government to address cybercrime tended to be nothing more than sound bites that would dissipate as the media spotlight moved elsewhere.
Up until now, there have been no updates made by the police about the hackers or who was responsible, nor has there been compensation or protection provided for those affected.
State agencies that collect personal data from the public do not seem to have to bear any responsibility for their failure to protect the data they have collected and stored.
The lack of penalties for database owners for failing to sufficiently protect personal data is the most ignored factor in the country's policy on cyber-security protection.
It appears that the government and private sector are fixated on catching hackers by investing in pricey software and hiring tech-savvy personnel.
Little has been done to make owners of databases accountable for their failure to protect personal data.
It has become normal practice that government and private companies just offer an apology and promise to do better.
It is hopeful that the problem will be addressed when the Personal Data Protection Act becomes effective this June.
Good cyber security laws, applying innovations to match hackers and digital literacy among citizens are all ways to deal with the issue.
But the government must understand that the country's cyberspace and personal data will never be safe in the hands of irresponsible state agencies and companies.
Accountability needs to be part of the solution.