A hacker who goes by the name "9near" is threatening to publish the personal data of some 55 million Thai citizens on a dark web data-breach site called BreachForum at 4pm today.
The hacker claims to have hacked into various government databases -- a claim backed by sending several well-known newscasters text messages containing their personal data, including their phone numbers, registered addresses, ID card numbers and other private information.
While the news is shocking to hear, 9near isn't the first hacker to have dared to breach the government's database -- and unfortunately, cyber security experts believe he won't be the last.
In February last year, the personal information of over 23,000 students who took university entrance exams in 2021 was sold on the internet after cyber criminals hacked into the Thai University Central Admission System (TCAS).
Before that, in August 2021, the data of over 10,000 patients at the state-run Phetchabun Hospital was held for ransom by hackers, who shut the hospital's phone lines and demanded 63 billion baht in Bitcoin. Just a month later, it was revealed that the data of over 100,000 patients from 11 hospitals nationwide was being sold on the dark web.
More recently, a police lieutenant colonel and a Commerce Ministry official were arrested for selling Thai citizens' personal information to call centre operators. To authorities, both suspects admitted to making over 600,000 baht a month selling other people's private information.
Despite the string of hackings, the government's response to date has been disappointing at best. The Ministry of Public Health had promised an investigation into the hackings, but the probe has not made any progress. Worse still, there has been no compensation paid to those whose data was stolen.
The Minister for Digital Economy and Society, Chaiwut Thanakamanusorn, has vowed to do what it takes to arrest the hacker. He said he would expedite the government's push to digitise national identity cards, which will see each citizen issued a QR code instead of a physical card.
The government is planning to issue digital IDs to 10 million citizens when the scheme launches, which is a good start, but what about the plan for the rest of the country? And can the government ensure the digitised system is secure enough to fend off hackers?
Instead of shooting in the dark, the DES Ministry should focus on salvaging the public's confidence by holding agencies which are responsible for protecting Thais' personal data accountable. The DES Ministry must promote cybersecurity education in order to better protect Thai citizens from possible identity theft and fraud.
It is about time the DES Ministry plugs the loopholes in the Personal Data Protection Act (PDPA), which came into effect on June 1 last year. It is worth noting that just two months after the PDPA was passed, the cabinet approved a royal decree which exempts government agencies from respecting privacy obligations outlined by the PDPA, if the data in question concerns public service, national security threats and/or criminal investigations.
Thailand's history with data leaks shows how government agencies are not up to the task of protecting citizen data. Therefore, the DES Ministry needs to sharpen its tools to ensure citizens' data is safe in their hands.