Cybersecurity news and insights for business decision-makers.

In March 2023, a threat actor using the alias '9Near' claimed to possess personal data of approximately 55 million Thai citizens — close to the entire adult population — and listed it for sale on a dark-web forum. The dataset reportedly included full names, Thai national ID numbers, dates of birth, and phone numbers. The leak prompted intervention from Thailand's Ministry of Digital Economy and Society (MDES) and the National Cyber Security Agency (NCSA), and the 9near.org site was taken offline within days. Investigators traced the source to a government-adjacent system rather than a single private breach, highlighting how data aggregated across public services becomes a single point of catastrophic failure when access controls fail.

The incident became a defining PDPA test case. While PDPA had been in force since June 2022, this was the first nationally visible breach to trigger public scrutiny of data-controller obligations: 72-hour notification, evidence preservation, and impact assessment. Several enterprises holding similar datasets quietly audited their own access logs in the weeks that followed.

Thailand's Anti-Online Scam Operation Centre (AOC 1441) reported that financial losses from online scams — dominated by call-centre fraud operated from compounds in neighbouring countries — exceeded THB 60 billion between 2022 and 2024. Tactics evolved rapidly: from simple impersonation of police and parcel-delivery couriers, to sophisticated 'pig-butchering' romance-investment scams that drained life savings, and to malicious Android apps that hijacked banking sessions in real time. Several Thai banks introduced biometric-based limits and friction prompts in response.

The operational pattern is unusual: most attackers are not technical specialists. They are organised crime groups running scripted social-engineering operations at industrial scale, supported by money-mule networks moving funds through cryptocurrency and informal value-transfer systems. Defence is now a shared problem between banks, telcos, regulators, and end-user security awareness.

In September 2021, a Thai provincial hospital was hit by ransomware that encrypted patient-record systems, forcing staff to revert to paper for admissions, prescriptions, and lab results. Service degradation lasted several days while IT teams isolated affected segments and restored from backups. While the Ministry of Public Health did not pay a ransom, the incident demonstrated how dependence on a single electronic medical record (EMR) instance, with insufficient network segmentation between clinical and administrative networks, can paralyse care delivery.

This was not an isolated case. Healthcare globally has become a top ransomware target because operators know hospitals cannot tolerate downtime — increasing the pressure to pay. In Thailand, the public-hospital network's flat connectivity model and patchwork of legacy biomedical devices remain structural weaknesses three years later.

The Bank of Thailand issued public warnings throughout 2024 about a growing wave of deepfake-enabled fraud, in which attackers use AI-generated video and voice to impersonate family members, executives, or bank staff. In confirmed cases, victims received video calls that appeared to show a relative in distress requesting an emergency transfer; others received voice messages mimicking a CFO instructing a treasury team to wire funds. The realism collapsed the few seconds of doubt that traditionally protected victims.

Thai banks have responded with stricter limits on first-time payees, biometric step-up for high-value transfers, and a public-education push on AOC 1441. But the underlying capability gap is widening: generative-AI tools for voice cloning now require under a minute of source audio, which is trivial to harvest from social-media videos.

In September 2023, MGM Resorts International — operator of major Las Vegas casinos and hotels — was hit by the ALPHV/BlackCat ransomware affiliate. The intrusion did not begin with a sophisticated zero-day. According to the group's own statement and subsequent reporting, attackers found an MGM IT employee on LinkedIn, called the company's IT help desk impersonating that employee, and convinced the help desk to reset multi-factor authentication. The entire compromise took approximately 10 minutes.

The operational impact was severe: slot machines went dark, room-key systems failed, reservations were disrupted, and digital payments were taken offline for over a week. MGM later disclosed approximately USD 100 million in losses from the incident. Competing operator Caesars Entertainment, hit by the same affiliate weeks earlier, reportedly paid roughly USD 15 million to avoid similar disruption.

On 21 February 2024, Change Healthcare — a subsidiary of UnitedHealth Group processing roughly one-third of all US healthcare payments — was forced offline by an ALPHV/BlackCat ransomware intrusion that began with a stolen credential on a Citrix portal that lacked multi-factor authentication. Pharmacies could not verify insurance, hospitals could not file claims, and small medical practices burned through cash reserves waiting for payments. UnitedHealth later confirmed paying USD 22 million in ransom; the attackers then exit-scammed their own affiliate, who re-extorted the stolen data through a different group.

UnitedHealth's CEO testified before the US Congress that the company expects total costs exceeding USD 2.45 billion, and that personally identifiable health information of approximately one-third of Americans was exposed. The incident is now cited as the most disruptive healthcare cyber-event in history.

On 19 July 2024, a defective content update to CrowdStrike's Falcon sensor caused approximately 8.5 million Windows hosts worldwide to enter a boot-loop with the blue screen of death. Airlines grounded fleets, hospitals deferred procedures, and broadcasters went off-air. The fix required manual touch on each affected machine — physically present, with a recovery key — because the failing driver loaded before networking. Some large enterprises took more than a week to restore full operations.

This was not a cyberattack, but it taught the same lesson with the same operational cost: a single trusted vendor sitting at the kernel of millions of endpoints is itself a systemic risk. Regulators in the EU and US have since pushed for greater transparency on update-staging practices, and many enterprises have moved to phased rollouts even for security-critical content.

On 20 February 2024, a coalition led by the UK National Crime Agency, the FBI, and Europol seized the dark-web infrastructure of LockBit — the most prolific ransomware-as-a-service operation of the preceding three years, responsible for thousands of attacks and an estimated USD 1 billion+ in extorted payments. Investigators not only took down LockBit's leak site but replaced it with their own branding, published decryption keys, and exposed the identity of one of the group's senior operators.

The takedown demonstrated that ransomware groups, despite their operational sophistication, are not invulnerable to coordinated international law enforcement. However, within weeks, LockBit affiliates regrouped under new branding, illustrating the difficulty of permanently disrupting a criminal ecosystem with deep cryptocurrency liquidity.