A civil society group on Wednesday petitioned a parliamentary committee to investigate an alleged data breach involving a state agency responsible for healthcare entitlements, claiming sensitive personal information of 67.1 million people may have been exposed.
The complaint was submitted at parliament by a group led by Thanarat Kuawattanapan, CEO of Domecloud and a software and blockchain technology expert, to Alongkot Maneekas, a Bhumjaithai Party MP for Nakhon Phanom and chairman of the House Committee on Communications, Telecommunications, and Digital Economy and Society.
Mr Thanarat said the system allowed searches using national ID numbers or individuals' names, enabling access to a wide range of personal data, including ID card numbers, dates of birth, registered addresses, healthcare entitlement information, and even details about parents. He said he had reported the vulnerability to the responsible agency for a second time this year and classified the flaw as a critical-level security risk.
"I previously alerted authorities about a leak involving the same database in March. Although the vulnerabilities involved different systems and different methods of access, both incidents were linked to the same or related databases. This shows a systemic failure in controlling access to personal data," Mr Thanarat said.
Data from the agency says the database covers some 67.1 million people. Mr Thanarat said his preliminary assessment suggested everyone whose information was stored in the database could be at risk. He urged the agency to disclose the number of affected individuals.
He also claimed the leaked data had already appeared on black-market platforms and questioned whether the agency had reported the breach to Thailand's Personal Data Protection Committee within the legally required 72-hour timeframe. The exposed information, he warned, could become a valuable resource for call-centre scam networks.
"Authorities have focused on cracking down on mule accounts, but those are only the end point. If Thailand wants to solve the call-centre scam problem sustainably, it must stop the leakage of citizens' data at the source," he said. Mr Alongkot acknowledged the seriousness of the allegations, and said witnesses would be called next week to explain what happened.
