Data Leaks: Thai Government Tough on Private Firms, Soft on Public Sector and Cybercriminals

The thirty-first of July marked the first instance of Thailand’s government punishing a private firm for failing to protect users’ personal data.

Local media reported that the Office of Personal Data Protection Commission (PDPC), under the purview of the Ministry of Digital Economy and Society of Thailand, fined big e-commerce company, JIB, 7 million baht (US$207,000) for violating the Personal Data Protection Act (PDPA) of 2019.

The PDPC said the JIB data leak incident earlier this year was caused by a staff member deliberately stealing the personal information of customers from the company’s database, surpassing its porous cybersecurity system and selling it for profit.

Many customers who had bought products from the company between 2019 and 2024 were reportedly scammed by cybercriminals. Upon investigation, it became clear that the company, due to negligence, failed to comply with several PDPA standards, such as not having a designated personal data officer to audit data security. Even worse, it did not notify the authorities or the public immediately when the data became compromised.

Governments worldwide have been under pressure over concerns about data protection and the privacy of their citizens. The UN Trade and Development (UNCTAD) shows that 75 per cent of countries had some data protection and privacy legislation (commonly known as PDPA Law) by 2021.

Imposing administrative fines on companies that have poor data protection measures is an obvious and popular option to deter companies against PDPA violations. Ironically, trying to catch cybercriminals is generally an uphill battle but requiring legal entities to protect their users’ data is much more straightforward.

However, while legal clampdowns may serve as a warning to private firms about privacy lapses, these only scratch the surface of data breaches and theft. In the case of Thailand, not only is it unclear whether the public sector will be held to the same legal punishments for lagging in cybersecurity protection standards but it is also doubtful that fines will serve as effective deterrence for cybercriminals lured by the financial booty (in the form of data troves) available on the Dark Web.   

…they found 139 incidents where officials illicitly sold citizens’ personal data during the review period, though the minister did not disclose the number of citizens who could potentially be affected by these data leaks and theft.

Yet what the authorities hail as a landmark execution of the PDPA against the private sector in Thailand highlights the government’s renewed commitment to address the data privacy issue in all sectors. It also sets a precedent that an entity considered the target of a data breach or theft can be held liable for said breach or theft due to its failure to adhere to cybersecurity and data protection standards.

However, other incidents that compromised Thai citizens’ personal data involved the public sector. In an earlier case, data was leaked from the Department of Older Persons, exposing 20 million Thais to potential cyber threats and scams.

The investigation remains open and there have not been any charges against any individuals or state agencies involved in this breach. In his recent statement, the minister for digital economy and society even admitted that an extensive review of 31,561 state-run units from November 2023 to late August 2024 revealed 6,086 instances of personal data breaches, with local administrative organisations as the primary culprits.

More astoundingly, they found 139 incidents where officials illicitly sold citizens’ personal data. The minister did not disclose how many citizens could potentially be affected by these incidents. He vaguely said that an “alarm has been raised” and some state agencies had been “warned” of these cybersecurity threats — a soft reaction to a systemic lapse and arguably, bureaucratic wrongdoing. Considering this, it remains doubtful whether the authorities are prepared to apply the law equally when data theft or breaches involve the public sector compared to cases occurred in the private sector.

Moreover, going after private firms for negligence might not effectively deter financially motivated actors from committing cybercrimes. For instance, the Dark Web Price Index quotes the pricing (per piece) for credit card credentials and related personally identifiable information (PII) at between US$17 and US$120. It costs next to nothing for someone to steal others’ data from an online database. What is more, if a cybersecurity system is already lax, a theft getting flagged takes a long time.

Such data breaches are not just Thailand’s problem; other countries in the region likewise need to reassess their approaches to protecting citizens’ data privacy, to adapt to the ever-evolving tactics of cybercriminals. Stealing PII has gone beyond just identity theft and now intersects with online scamming, thus having the potential to impact a broad base of victims around the globe, with Southeast Asian countries pegged as hotspots by many reports.

Since online scams are transboundary in nature, they require collective, multinational solutions but the regional mechanisms that exist need strengthening and updating. Past efforts from ASEAN include the Framework on Personal Data Protection and the Framework on Digital Data Governance, which were endorsed at the ASEAN Telecommunications and Information Technology Ministers Meetings in 2016 and 2018, respectively.

Revisiting these frameworks and having the ASEAN Summit in October acknowledge this urgent need should be high on the region’s agenda. For instance, components of the EU’s General Data Protection Regulations could be evaluated as potential models, with particular attention paid to the mechanism for imposing stricter laws and tougher sanctions, which in the EU come with extraterritorial application. Perhaps then it will be easier to nab the negligent, corrupt and criminal, whether from the private, public or “shady” sectors in Thailand and the region.

2024/286