His remarks followed the data leaks reported by Kasikorn Bank and Krung Thai Bank, where personal and corporate data of more than 120,000 bank customers were compromised.
Krung Thai Bank reported to the Bank of Thailand that the personal data of 117,000 customers applying for personal, housing and other loans online, were hacked. Kasikorn Bank reported that corporate data of about 3,000 customers using the bank’s online letter of guarantee service, was compromised.
Cyber-security experts said the incidents serve as a wake-up call for regulators and other authorities as Thailand accelerates the pace of its digital economy.
While bank executives said the data leaks have caused no damage so far, experts said. Data, especially personal data, is very sensitive and potential damage cannot be ruled out. Experts have urged the government to quickly strengthen legal safeguards against data leaks with special measures added to the data protection bill which will be enacted later this year.
At present, the National Broadcasting and Telecommunications Commission’s rules require telecom operators to report any data leaks to authorities within 72 hours. However, there are no regulations for the banking sector yet.
Experts have also suggested that the country’s data protection bill should meet the international standard set by the European Union’s General Data Protection Regulation (GDPR) which went into effect in May this year, since the law covers both data protection and data leak issues with punitive measures.
Regarding Thailand, Kitti said, a national cyber-security committee has highlighted the issue of an insufficient number of cyber-security experts and it is seeking state funds to develop more human resources.
At present, there is a widespread shortage of experts in virtually all sectors of the economy.
Thailand's fast-growing digital economy has led to a huge increase in Big Data, especially personal data stored on the computer systems of telecom companies, banks and other financial institutions, which have become a major target for cyber-attacks.
As a result, authorities have to step up both prevention and detection measures as well as prepare how best to respond to these attacks.
“For example, the time it takes to respond to these attacks is no less important than prevention and detection measures, so we need to develop more experts in this field to cope with the rising number of incidents. In addition, consumers need to have greater awareness on protecting their personal data,” Kitti said.
Since the digital economy is driven by the massive amount of personal and other data, it is not possible to completely prevent all data leaks which could be facilitated by malware, ransomware and other methods.
In this context, personal data is the most sensitive and could be widely abused, especially in the world of digital banking and customer IDs.
Kitti said public awareness campaigns are necessary to facilitate the fast-growing digital and mobile banking sector as commercial banks move more customers to mobile and other digital platforms which are seen as a new competitive advantage due to increased convenience for customers and increased efficiency for banks.
“Member banks of the TB-CERT are working together to strengthen our safeguards on cyber-security by sharing information and experience in various cases so that the sector can more effectively plug their loopholes to prevent new attacks. However, each bank has its own monitoring and alert mechanisms. At this stage, TB-CERT focuses on how best to respond to cyber-attacks,” he said.
More funding needed
Due to the migration of banking services from branches to online and mobile platforms, it is necessary to increase investment in additional security and other precautionary measures since there are greater probabilities of incidents.
In his opinion, prevention and detection as well as best responses are key to ensuring that banking services are not disrupted by attacks. Previously, most banks focussed on prevention and later detection, Now, timely responses are also very important.