Will pending legislation be enough to head off security breaches like those that occurred at two Thai banks?
Thailand needs to meet the international standard on data protection and data leaks, especially in the wake of computer hacking incidents at two major Thai banks, in which the corporate and personal information of more than 120,000 customers was compromised.
The European Union’s General Data Protection Regulation (GDPR) law, which came into effect in May, has set the global benchmark for both protection and for issues related to leaks. But Thailand’s version of that legislation, which the National Legislative Assembly is expected to enact later this year, does not specifically address data leak issues, even though this is no less important than protecting data.
Only the National Broadcasting and Telecom Commission (NBTC) currently has rules and regulations in place on data leaks, which are applicable to telecom operators and related entities.
Earlier this week the Bank of Thailand reported that Krung Thai Bank had found its computer system compromised, affecting the security of more than 117,000 customers’ personal information used in its mobile application for obtaining and repaying different kinds of loans. Kasikorn Bank’s computers were also hacked, affecting the data of about 3,000 corporate customers who use the bank’s online letter-of-guarantee service.
These two shocking incidents should be an urgent wake-up call for all parties concerned to ramp up measures to prevent leaks and ensure the response is as efficient and effective as technically possible. The NBTC, for example, requires telecom operators to report any leaks within 72 hours and provide timely information and remedies to owners of the data. There is, however, no such requirement concerning banks and other financial institutions regulated by the Bank of Thailand and other authorities.
The government has to speed up enactment of the data-protection bill and add provisions aimed at preventing leaks. It must guide the parties concerned in responding to such incidents, which are likely to happen more frequently due to widespread adoption of online and mobile banking services.
A huge amount of individuals’ personal data now resides in computer systems, giving cyber-criminals tremendous incentive to break into the digital storehouses of banks and financial institutions. And yet few Thai banks have invested adequately to safeguard their customers’ information even as they rush to move them onto online and mobile platforms.
While there may never be a 100-per-cent-assured way to prevent the theft of financial data, it is imperative that responses to hacks are timely and effective in addressing potential damage to customers. People and private firms put their faith in banks to store their sensitive personal and corporate data on computer servers. They should never have to face the shock of
being financially vulnerable.
Besides the impacts on Thai customers, these latest intrusions will shake the international community’s confidence in the Thai banking system in terms of data security. That doubly makes it the government’s duty to fast-track legislation on data protection and data leaks that meets international standards, as set out by the European Union’s GDPR.
In the meantime, the Bank of Thailand also needs to come up with interim measures to prevent further leaks of sensitive customer data and to require timely and effective responses when such incidents occur.