Thailand’s Public Sector Data Breaches Erode Public Trust – And Might Undermine E-Government

Since 2014, Thailand’s E-Government Development Index (EGDI), rated by the United Nations’ biennial survey, has been consistently improving. From being ranked 102nd globally, Thailand is now 55th in 2022. The chart below shows that Thailand has outperformed the subregional, regional, and even world average when it comes to the development of e-government. Similarly, in 2020, Thailand was ranked 10th and 5th in the Asia Pacific and Southeast Asia regions, respectively, by the International Telecommunication Union (ITU) for its Global Cybersecurity Index (GCI).

This is partly due to the Thai government’s continuous efforts to improve digital infrastructure and service provision. The Yingluck Shinawatra administration initiated the Village Broadband Internet Project (also known as “Net Pracharat”) to provide high-speed internet access via the installation of fibre optic cable network and free public Wi-Fi hotspots in rural Thailand, starting with 24,700 villages in December 2017. By November 2022, 75,000 villages were connected. In the same vein, General Prayuth Chan-Ocha incorporated a digital development roadmap as a part of the 20-year National Strategic Plan, known as Thailand 4.0, launched in 2020. Specifically, Strategy 4 focuses on “transform[ing] the public sector into a digital government.” According to the German Institute of Development and Sustainability, effective implementation of e-government should simultaneously: 1) deliver efficient public administration; 2) improve public service delivery; and 3) strengthen the openness and transparency of political processes.

However, while Thailand’s digital performance appears to be in good shape on paper, multiple incidences of personal data leaks from government agencies illustrate a reality that is far from the impressive index scores, exposing not only a gaping hole in cybersecurity practices in Thailand’s public sector but also the lack of institutional accountability and transparency. Moreover, the Thai government’s dismissive response to the issue of data breaches may hamper the goal of an effective e-government as it can further erode the public trust. Further down the road, the growth of e-services may be inhibited despite the enactment of the Personal Data Protection Act (PDPA) in 2022.

…while Thailand’s digital performance appears to be in good shape on paper, multiple incidences of personal data leaks from government agencies illustrate a reality that is far from the impressive index scores

At the peak of the Covid-19 pandemic, the Thai government, like many worldwide, gathered vast amounts of personal data and biometrics from citizens and non-citizens in the name of public health protection. Since then, Thailand has experienced at least three major data heists. In September 2021, the personal data of approximately 106 million visitors to Thailand was made accessible to all online. In April 2023, an army sergeant allegedly put the personal data of 55 million Thais that he hacked from the Thai national public health portal, Mor Prom, for sale on the dark web. At the beginning of this month, a cybersecurity firm found that the personal information of 20 million Thais had been leaked from government agencies and placed on sale. Most of the data stolen in this particular breach appeared to be from the Department of Older Persons, indicating that the perpetrator intended to gain access to elderly Thais, who might be more vulnerable to scams.

Despite the potential negative consequences from these events, the Thai government has hardly reacted or made a statement to address public concerns. While the difficulty in identifying the culprits is understandable, the Thai government’s negligence in addressing cybersecurity issues stemming from the public sector, as well as its inability to safeguard the personal information of its citizens, may potentially undermine its future efforts to implement digital government.

While it is still hard to observe the long-term impact of the eroding public trust on e-government adoption, some hints of potential adverse effects can be found in the number of downloads of Thang Rat and ThaiD — the mobile apps created by the Digital Government Development Agency and the Bureau of Registration Administration for allow Thai citizens to use e-services. Both apps require the submission of sensitive personal data, such as a photo of the back of the identification card, which includes the unique set of codes used to facilitate e-transactions or e-payments. Based on the numbers from the Apple and Google Play Store, the two apps have 500,000 and 10 million downloads, respectively, translating into mediocre adoption rates of one per cent and 20 per cent of the over 50 million internet users in Thailand. Moreover, the statistics from the app stores only consider the number of downloads, but not uninstallations. The erosion of public trust — a prerequisite for broad adoption – arguably explains the underwhelming uptake of these apps, although other factors surely also come into play, such as bad PR or unappealing design.

There are multiple international standards for digital development and the Thai government has admirably dedicated time and resources toward enhancing e-government. However, beyond the objective measures, it is also necessary to consider the subjective element of public trust as key to effective e-government. Addressing cybersecurity issues through supplementary regulations or laws with more stringent punishments for data leaks, especially if done by government agents or agencies, may serve as a short-term solution to regain the public trust. Otherwise, the country will be spending taxpayers’ money on an e-government programme nobody wants to follow.

2024/58