As we enter the last weeks of 2021, there's no better time to reflect on the past 12 months than now. While Covid-19, vaccine inequity, reversals on gains made in the fight against poverty, climate change, and shifting geopolitical conflicts captured the public's imagination, another scourge also made its presence felt, although rather discreetly.
Cybercrime, particularly data breaches targeting government institutions, the healthcare sector, and the financial services industry are becoming more and more common. This year saw a 17% uptick in data leaks globally, 1,291 breaches compared to 1,108 the year prior, according to the Identity Theft Resource Center (ITRC). As remote work and digitalisation continue their upward trajectory, criminals have shifted their focus online to secure sensitive data ranging from phone numbers, email IDs, bank accounts to passport details for profit.
Thailand has not been spared from these malicious bad actors. One such headline-grabbing breach this year was brought to light by cybersecurity researcher Bob Diachenko who uncovered a database containing personal information of some 106 million tourists who visited the kingdom over 10 years ago.
A quick Google search will reveal similar incidents with cybercriminals targeting clients of an online shopping site, customers of a resort, and even airline passengers. And who can forget the debacle surrounding the leak of foreigners' personal information as they tried to register for a jab through ThailandIntervac, an on-line vaccine reservation site run by the Ministry of Public Health?
But perhaps most worryingly of all were the ransomware attacks on Phetchabun Hospital and Bhumirajanagarindra Kidney Institute Hospital in September that saw personal information and treatment histories stolen and both institutes' databases taken offline. Data were found to be sold on the dark web.
In May 2019, the government passed the Personal Data Protection Act (PDPA) and Cybersecurity Act to promote trust in the digital economy. Yet almost three years later, the PDPA, the first local law designed to provide a framework for data protection that covers how personal information is collected, processed, and stored by companies, has yet to be fully enforced.
Earlier this year, the government delayed implementing the bill for a second time until June 1, 2022, citing pandemic-related challenges and lobbying by the Federation of Thai Industries who bemoaned the extra burden the new law would place on the private sector, especially in terms of cost.
Hackers target personal data through two routes -- human error in which naïve employees are fooled to open malware-infested links or emails as was suspected in the case of the hospital breaches, or organisations failing to secure their databases with the latest security software, leaving them effectively sitting ducks.
The PDPA is meant to reduce such risks by mandating companies' consent to the collection of personal data. It also requires further classification of personal data so additional protective measures can be applied.
However, without any clear-cut policies provided under the new law, implementing change remains difficult. From the perspective of profit-driven companies, it makes little sense to invest in new practices that can be deemed insufficient or made redundant overnight.
Regardless, state and private players should not wait for laws to dissuade cybercriminals. Implementing basic cyber hygiene measures by investing in employee education of good data practices and how to spot and quarantine suspicious links or files will go a long way in reducing data breaches.
Moreover, rather than relying on IT admins (who are not trained cybersecurity experts) to secure databases is folly. Instead, companies should invest in personnel who can operate systems to prevent breaches from happening in the first place. Hiring a team of cybersecurity experts will save in the long run and prevent bad publicity and loss of trust in the business.
Also, as 2021 draws to a close, there is really no excuse for state agencies and private players to be using outdated IT infrastructure that can be easily hacked. Surely, more can be done with the vast resources available on hand?
With tourism's slow march to recovery in full swing, it's clear the country has to look towards new avenues for growth. With the pandemic taking the world online, the digital economy is booming and is set to create new opportunities well into the future. Yet it has also created new challenges and risks. While crypto-friendly policies and talk about making the country a digital nomad destination are commendable, both state and private sector players have an obligation to ensure personal data protection to instil confidence in the future they promise.