02-347-7730  |  Saeree ERP - Complete ERP Solution for Thai Organizations Contact Us

66 Million Thai Citizens' Data Breach

  • Home
  • Blog
  • 66 Million Thai Citizens' Data Breach
66 Million Thai Citizens Data Breach Government IT
  • 2
  • April

Personal data of over 66 million Thai citizens — nearly the entire population — has been put up for sale on the Dark Web for just 1,650 baht ($46 USD). The leaked data includes Universal Coverage Scheme (Gold Card) records, Social Security records, civil servant healthcare records, and hospital names where individuals received treatment. Even the Prime Minister's data was not spared. This article provides a technical analysis of how it happened, how to check if your data was compromised, and what government IT systems must do to prevent it from happening again.

Timeline of Major Thai Data Breach Incidents:

  • Mar 2023 — 9Near: A hacker claimed to possess data of 55 million Thai citizens from the Mor Prom (Doctor Ready) app, including full names, national ID numbers, addresses, and phone numbers
  • Jan 2024 — Elderly Database: 20 million records from the Department of Older Persons, OBEC, and the Volunteer Defense Corps were sold on the Dark Web
  • 2024 — Government Agency: A government web application was hacked, leaking data of 200,000 individuals. The Personal Data Protection Committee (PDPC) imposed a 15 million baht fine
  • Feb 2026 — Social Security App: After an update to the SSO Connect app, addresses were swapped — users could see other people's addresses in their personal data
  • Mar 2026 — Move Forward Party (Successor): Member data was leaked, including national ID card images used for registration
  • 2026 — 66 Million Records: Healthcare entitlement data of nearly all Thai citizens was sold on the Dark Web for 1,650 baht

Technical Analysis — How Did This Happen?

Large-scale data breaches rarely stem from a single cause. They are typically the result of multiple vulnerabilities converging within a system. Based on analysis of past incidents, the most common causes found in Thai government IT systems are as follows:

1. APIs Without Authentication (Broken Authentication)

Many systems expose API endpoints that allow data retrieval without login credentials, or use simple API keys that are never rotated. Hackers can write scripts to scrape data record by record around the clock, as these systems lack rate limiting or alerts for abnormal data access volumes.

2. Unpatched SQL Injection Vulnerabilities

SQL Injection is a vulnerability that was first discovered over 25 years ago, yet it remains prevalent in government web applications. When systems fail to use Parameterized Queries, hackers can inject SQL commands through input fields or URLs and extract entire databases in a single attack.

3. Publicly Exposed Databases (Misconfigured Database)

Many databases (such as MongoDB, Elasticsearch) are configured to be accessible from the internet without requiring a password. This typically occurs when systems are deployed with default configurations without changing the binding address or properly configuring the firewall. Tools like Shodan and Censys continuously scan for exposed databases worldwide.

4. Insider Threat — The Enemy Within

In many cases, data is not hacked from the outside but rather "extracted" by insiders with access privileges. These may be IT staff, contract employees, or outsourced companies that have been granted full admin access without any auditing in place.

5. No Data Processing Agreement (DPA) with Developers

The 2024 case where PDPC imposed a 15 million baht fine clearly demonstrated that government agencies outsourced web application development but had no Data Processing Agreement (DPA), no verification of the developer's security standards, no security audit before going live, and used weak passwords.

6. Unencrypted Data (No Encryption at Rest)

Even if hackers breach a system, properly encrypted data (AES-256 or similar) would be unreadable. However, most government systems store personal data as plain text — national ID numbers, names, addresses, and phone numbers without any encryption whatsoever.

Common Vulnerabilities Found in Thai Government IT Systems:

Vulnerability Severity Found In
Broken Authentication / No Auth API Critical Mor Prom, Social Security
SQL Injection Critical Multiple government web apps
Misconfigured Database High Common in MongoDB, Elasticsearch
No Encryption at Rest High Nearly every incident
No DPA with Vendors Medium PDPC 15M baht fine case
Insider Threat / Over-privileged Access High Multiple undisclosed cases

Check Yourself — Has Your Data Been Compromised?

When a large-scale data breach occurs, the first thing to do is check whether your data has been affected:

For Individuals

  • Check via Have I Been Pwned (haveibeenpwned.com) — enter your email to check if your data has been leaked in any known breach
  • Check the Social Security App (SSO Plus) — open the SSO Plus app to verify that your address, phone number, and email are correct
  • Change your passwords immediately — especially for systems that use your national ID number as the username; change all passwords
  • Enable Two-Factor Authentication (2FA) — enable two-factor authentication on every service that supports it
  • Beware of scams — after data leaks, scammers often call pretending to be banks, Social Security, or government agencies, using your real data to appear more credible

For IT Administrators / Organizations

  • Review Access Logs — check for abnormal database access volumes, such as queries pulling hundreds of thousands of records in a short time
  • Run Vulnerability Scans — use tools like OWASP ZAP, Nessus, or Burp Suite to scan for SQL Injection, XSS, and other vulnerabilities
  • Monitor the Dark Web — use Dark Web Monitoring services (such as SpyCloud, Have I Been Pwned for Domain) to check if organizational data is being sold
  • Review Access Privileges — audit who has access to what data and revoke unnecessary permissions

Why Do Government Systems Keep Getting Breached?

A question many people ask is why Thai government IT systems suffer repeated data breaches. The true structural causes are multifaceted:

  • IT budgets are focused on "building," not "maintaining" — government agencies typically have budgets for developing new systems but no budget for security audits, penetration testing, or post-launch system monitoring
  • Outsource and forget — external companies are hired to develop systems, but there is no code review, security testing, or even a DPA before project handover
  • No dedicated Security Team — many agencies lack a dedicated cybersecurity team, relying on general IT staff to handle everything from computer repairs to database management
  • Legacy systems never updated — many systems were built over 10 years ago using outdated frameworks with known vulnerabilities, but there is no budget or personnel to update them
  • No strict legal enforcement — although Thailand has the Personal Data Protection Act (PDPA), penalties remain lenient and enforcement is inconsistent, compared to Europe's GDPR which can fine up to 4% of a company's total revenue

How to Prevent — Security Checklist for Government IT Systems

Based on past lessons, here is a checklist that government (and private) IT systems should have at minimum:

Security Checklist for Systems Storing Personal Data:

Level 1: Basic (Must Have)

  • Encrypt personal data in the database (Encryption at Rest — AES-256)
  • Encrypt data in transit (Encryption in Transit — TLS 1.2+)
  • Use Parameterized Queries to prevent SQL Injection on every endpoint
  • All APIs must have Authentication + Authorization
  • Set Rate Limiting for every API endpoint
  • Change Default Credentials on all systems
  • Firewall — close all unnecessary ports

Level 2: Monitoring (Should Have)

  • Conduct Penetration Tests at least once per year
  • Vulnerability Assessments every quarter
  • Role-Based Access Control (RBAC) — grant only necessary permissions
  • Audit Logs for all personal data access, retained for at least 1 year
  • Establish Data Processing Agreements (DPA) with all developers
  • Code Review before every deployment

Level 3: Advanced (Recommended)

  • Security Information and Event Management (SIEM) for real-time monitoring
  • Data Loss Prevention (DLP) to prevent internal data leaks
  • Zero Trust Architecture — trust no one, verify every time
  • Incident Response Plan — practiced with live drills annually
  • Bug Bounty Program — allow external experts to report vulnerabilities

Lessons for Government ERP Systems

ERP systems are the backbone of any organization, storing everything from employee data (HR) and financial records (GL) to vendor and customer information (AP/AR). If an ERP system is breached, the impact is many times more severe than breaching any other system.

What a good ERP system must have from the design stage (Security by Design):

  • Role-Based Access Control (RBAC) — each user sees only the data they need. Procurement staff should not be able to see salary information
  • Audit Trail for every action — who did what, when, and what data was modified must be fully traceable
  • Encryption both at Rest and in Transit — data in the database and data transmitted between client-server must be encrypted
  • Two-Factor Authentication — not just passwords; two-factor verification is required for accessing sensitive data
  • No reliance on Third-party Cloud without DPA — choose systems deployed on your organization's own servers, or cloud providers with clear compliance

Warning for Government IT Executives:

Data breaches are not a matter of "if" but "when" — every system storing personal data is at risk. What separates secure organizations from breached ones is preparation, not hoping it won't happen. Agencies that have not yet conducted a Security Audit should start today — don't wait for an incident to happen first.

IT Maintenance Budget — How Much Should You Spend?

The primary reason government IT systems keep getting breached is that there is always budget for purchasing new systems, but little to no budget for maintenance. Many agencies invest tens of millions of baht building systems, but once the project is delivered, there is no budget for ongoing maintenance. It's like buying a new car and never changing the oil.

How Much Should IT Maintenance Cost?

International standards (Gartner, NIST) recommend that maintenance budgets should be 15-20% of the system's value per year. For Thai government agencies, the breakdown is as follows:

Item Budget Proportion Example (10M Baht System) Activities
Software Maintenance 5-8% 500,000-800,000/year Patch updates, bug fixes, system updates for new regulations
Security Operations 3-5% 300,000-500,000/year Penetration Test, Vulnerability Scan, Security Audit, Monitoring
Infrastructure 3-4% 300,000-400,000/year Server costs, backup, SSL certificate, domain, cloud hosting
Training & Awareness 1-2% 100,000-200,000/year Security Awareness training for staff, Incident Response drills
Incident Response Reserve 2-3% 200,000-300,000/year Emergency reserve fund, forensics, PDPC notification
Total 15-20% 1.5-2.0 million/year For a system valued at 10 million baht

Note for Smaller Systems:

The 15-20% ratio applies to systems valued at 10 million baht or above. For smaller systems, the maintenance budget may need to exceed 20% because fixed costs such as Security Audits and Backup Infrastructure do not scale down with system value — a 3-million-baht system requires the same security monitoring as a 10-million-baht one.

The Reality in Thai Government:

Most agencies allocate only 3-5% of system value for IT maintenance — or in some cases, nothing at all. After the development contract ends, no one maintains the system — no patch updates, no vulnerability scanning — until it becomes an "orphaned system" waiting to be breached.

What Maintenance Should Cover — By Frequency

Daily Operations

  • Verify Backup completion — both database backup and file backup
  • Monitor Server uptime, CPU, Memory, Disk usage
  • Review Security Logs — check for abnormal login attempts
  • Verify SSL certificate has not expired

Weekly

  • Apply OS security patches
  • Review Firewall rules — check for unnecessarily open ports
  • Check Disk space — clean old logs, temp files
  • Test Backup restore — a backup that has never been restore-tested is not a backup

Monthly

  • Vulnerability Scan with automated tools
  • Review User accounts — disable accounts for departed or expired-contract staff
  • Review Access privileges — check for over-privileged users
  • Apply Application patches (ERP, middleware, libraries)
  • Check Database performance — identify abnormally slow queries

Quarterly

  • Security Assessment / Mini Penetration Test
  • Review Disaster Recovery Plan
  • Conduct Security Awareness training for staff
  • Review DPA with external vendors

Annually

  • Full Penetration Test by external specialists
  • Security Audit against standards (ISO 27001, NIST CSF)
  • Incident Response drill — simulate a data breach scenario
  • Review PDPA Compliance policies
  • Upgrade hardware past warranty expiry

Monthly Reports for Management

IT system administrators (or contracted maintenance companies) should prepare a Monthly Security & Operations Report for management every month. The report should contain at minimum the following:

Monthly Security & Operations Report Outline:

1. Executive Summary

  • Overall status: Secure / At Risk / Critical
  • Key incidents in the past month (if any)
  • 3 key metrics: Uptime %, Number of vulnerabilities found, Number of anomalous events

2. System Availability Report

  • Uptime/Downtime of core systems (target: 99.5%+)
  • Root cause of downtime (if any) and remediation plan
  • Performance metrics: Response time, concurrent user count

3. Security Report

  • Vulnerability scan results: Count of Critical / High / Medium / Low
  • Vulnerabilities remediated vs. outstanding (with reasons and remediation timeline)
  • Number of abnormal failed login attempts
  • Security patches installed this month

4. Backup & Recovery Report

  • Daily backup status: Success / Failure
  • Restore test results (at least once per month)
  • Actual Recovery Time Objective (RTO) vs. target

5. User Access Report

  • Active users, New users, Disabled users this month
  • List of users with admin / super user privileges
  • Accounts inactive for over 90 days (should be disabled)

6. Next Month's Plan

  • Patches to be installed
  • Planned improvements
  • Budget spent vs. remaining

7. Recommendations / Risks Requiring Decisions

  • Risks requiring management approval for budget/remediation plans
  • System improvement proposals (if any)

This report does not need to be lengthy — 2-3 A4 pages is sufficient. What matters is that it is produced consistently every month and that management actually reads it, asks questions, and takes action. A report that nobody reads is no different from having no report at all.

The Cost of "Not Maintaining" vs. "Maintaining":

Item Prevention Cost (Per Year) Damage Cost When Breached
Penetration Test 200,000-500,000 baht
Security Monitoring 300,000-600,000 baht
PDPC Fine Up to 5 million baht
Forensic Investigation 500,000-2,000,000 baht
Rebuilding the System 5-20 million baht
Reputational Damage Incalculable
Total Per Year 1.5-2.0 million 5.5-27+ million (one-time)

As the table shows, prevention costs of 1.5-2 million baht per year are far cheaper than the 5.5-27 million baht damage from a single breach — not to mention the incalculable damage to public trust. A maintenance budget is not an "expense" but rather the most cost-effective "insurance policy" you can buy.

Conclusion

The 66 million record data breach is no surprise to cybersecurity experts, as the structural problems have existed for years — legacy systems, no auditing, no encryption, no DPA. Here is what each stakeholder should do now:

  • Individuals: Change passwords, enable 2FA, watch out for scammers
  • System Administrators: Run vulnerability scans, review access logs, audit access privileges
  • Executives: Allocate budget for security audits, choose systems with Security by Design, establish DPAs with all vendors

Personal data of 66 million Thai citizens is being sold on the Dark Web for just 1,650 baht — cheaper than a year's worth of coffee. The question is: how much longer will government IT systems continue using the same standards?

— Saeree ERP Team

References

Interested in a Secure ERP for Your Organization?

Saeree ERP is designed with Security by Design — RBAC, Audit Trail, Encryption. Free consultation

Request Free Demo

Call 02-347-7730 | sale@grandlinux.com

Saeree ERP Author

About the Author

Paitoon Butri

Network & Server Security Specialist, Grand Linux Solution Co., Ltd.

SQL Injection — Saeree ERP
Technology
  • 19 February 2026

SQL Injection — The Most Dangerous Web Application Vulnerability

Read more
2FA — Saeree ERP
Technology
  • 19 February 2026

Two-Factor Authentication (2FA) — Why Passwords Alone Are Not Enough

Read more

About Saeree ERP

Solutions

Resources

Contact Us

LINE Official

LINE QR Code - Grand Linux Solution

Copyright @2026 Grand Linux Solution Co., Ltd. All Rights Reserved.