From news regarding leaked, breached, hacked data in several organizations, incidents have occurred continuously over the past few weeks. Let's study the data in each case to understand the data breaches according to GDPR/PDPA.
One airline in Thailand was subjected to a cyber security attack.
One Thai airline was cyber-security attacked. This attack resulted in unauthorized access to personal data, which violates the law. The leaked data includes names, nationalities, genders, phone numbers, emails, addresses, passport information, travel histories, partial credit card information, and food allergy information. This incident violates PDPA law, section 37. Ultimately, the Data Protection Officer (DPO) and the company must issue statements addressing the event and the problems that occurred, along with announcing compensatory measures.
A prominent retail giant in the forefront of the country has stepped forward to admit that they have been hacked, and data has been stolen. A leading retail organization in the country has come forward to acknowledge that they have been hacked and data stolen. Just a few weeks ago, the organization admitted that there was indeed a hack, and the data taken by the hackers still consists of customers' names, surnames, phone numbers, emails, and addresses. If the organization continues to store such data in large quantities, it will pose risks in data management. The more data they hold, the greater the need for heightened cybersecurity measures. However, the data breach still violates PDPA law, section 37, which addresses Cyber Security and data breaches. The company is required to report within 72 hours of the data breach, but in this case, no such action has been taken.
The country's major ministry has been hacked, with over 16 million data compromised. The hacking incident involving over 16 million sensitive data sets the country's major ministry as a significant news headline. The hacked data falls into the category of sensitive information (as per Article 24), including patient records such as names, surnames, phone numbers, treatment rights, patient appointment histories, and admission information. It's crucial that such data is well protected. Moreover, even governmental organizations themselves must ensure the highest level of data protection to prevent hacking or data leaks.
Ultimately, when discussing PDPA/GDPR, it's not just about having contracts or obtaining consent. It also involves the work of the Data Protection Officer (DPO), the digital security measures implemented by the company, and the management of data protection. This includes data storage and classification, all of which are crucial aspects of PDPA/GDPR compliance.