Cybercrime a real threat
As the government pushes to transform Thailand into a “cashless society”, a series of security breaches of banks’ computer systems over the past few years have made many reluctant to fully embrace online and mobile banking services. Last week’s hacking of two major banks should be seen as a warning sign to bankers, regulators and lawmakers that they are lagging in the fight to counter cyber attacks and protect consumers.
Even though there were no financial losses, cybercriminals last week managed to steal the personal information of 123,000 personal and corporate customers. Representatives of the Bank of Thailand (BoT) and the two banks, Kasikornbank (KBank) and Krungthai Bank (KTB), said the information leaked was not financial transaction data but “general” personal data.
However, there’s a risk in playing down the latest attack given the constantly evolving and ever more sophisticated nature of cybercrimes.
For one thing, the stolen personal data can be further abused and exploited.
With cyber-attackers’ growing capabilities, banks and financial institutions will remain vulnerable to hacking. It is hard to rule out the possibility that financial transaction data will become vulnerable to future cyber heists.
Such attacks have become more common in both developed and developing countries. Most recently, in May, hackers stole the data of 90,000 customers of two Canadian banks — the Bank of Montreal and the Canadian Imperial Bank of Commerce. In February 2016, the servers of Bangladesh’s central bank were hacked resulting in financial losses of more than US$81 million.
Thailand has also witnessed a number of cyber heists. These include a 1-million-baht robbery from a KBank account and the hacking of Government Savings Bank ATMs in 2016. In April, 11,400 TrueMove H customers had their information leaked.
These incidents expose security flaws. Even though the UN International Telecommunication Union last year ranked Thailand 20th out of 77 countries in cybersecurity, the country has also been rated by a security software firm as one of the world’s top targets for attacks by online banking and point-of-sale malware infections.
Following last week’s attack, KBank said it has increased its level of data surveillance, while KTB insisted it has upgraded its security. In fact, all financial institutions need to regularly enhance and advance their defences against cyber attacks. More importantly, they need to invest more in cybersecurity to fully shield customers from the risk of hacking.
For now, it’s best the banks share information of these breaches with each other. The central bank itself needs to come up with measures for the timely reporting of cyber heists.
Thailand also does not have an adequate legal framework to deal with the trend.
Disappointingly, the Computer Crime Act has not been used to serve its goal of protecting the public against hackers, internet spam and other threats. Instead, law enforcement agencies have used it to silence political activists and government critics.
Cybersecurity experts have pinned their hope on the Personal Data Protection Bill, but not in its current form. The latest version of the bill has been criticised for not addressing newer technologies like the Internet of Things, artificial intelligence and big data. It also lacks penalties for those who leak data and excludes a requirement for businesses regarding data protection. Additionally, the bill should require companies to only collect and store relevant, adequate and necessary customer data.
The National Legislative Assembly, which is vetting the bill, must pay heed to calls for amendments to the bill.
Hacking may not be fully preventable, but it would be remiss of the country, and its institutions, not to make a better effort at tackling what could amount to a very expensive problem.