Thailand’s People’s Party is facing mounting calls to clarify how it will protect the personal information of its members after acknowledging a data breach that could expose them to identity theft and scams.
“The key issue is not merely an apology or advice to reissue ID cards, but responsibility for the protection of citizens’ personal data,” Suphachai Jaisamut, a member of the Bhumjaithai Party and its legal chief, wrote on Facebook on Saturday.
The People’s Party said on Thursday that its membership database was breached on February 23. It warned that members’ rights could be affected and advised them to change their account passcodes.
According to the party, the compromised data includes members’ names, surnames, identification card numbers, addresses, birthdates, phone numbers, email addresses and images of documents submitted during membership applications.
Mr Suphachai stressed that the matter should not be overlooked by society.
He referred to the Personal Data Protection Act, which requires organisations that collect citizens’ personal information to protect it under strict standards. He noted that such data represents the rights and security of individuals, not merely numbers stored in a system.
Mr Suphachai said the public is therefore entitled to ask several questions: why the system contained vulnerabilities that allowed outsiders to access the data, whether sufficient and standardised protection measures were in place, and who should ultimately be held responsible for the breach.
“People deserve a clear, transparent and accountable answer — not just brief explanations from its leader, who is about to be nominated before the House of Representatives for selection as prime minister in the coming days,” Mr Suphachai concluded.
The People’s Party announced on Friday that it would nominate Natthaphong Ruengpanyawut as its candidate for prime minister in next week’s parliamentary vote. The move is widely viewed as symbolic, as the selection of Anutin Charnvirakul, leader of the Bhumjaithai Party, is widely expected.
Concern has also been raised by technology commentator Thananon Patinyasakdikul, better known online as “9arm”. He holds a PhD in computer science from the University of Tennessee, Knoxville and has around 1.5 million subscribers on YouTube.
Following the party’s statement, he posted a strong reaction on X, saying the volume of compromised information described by the party was “not small, and the members’ names could be used in any way possible”.
In another post, Arm called for greater transparency.
He said the party’s statement failed to clarify several key issues, including whether the leaked URL could allow access to photographs taken with ID cards, how many member records exist in total, how many were accessed, what remedies would be offered to affected members, and what penalties could apply under the PDPA for such a breach.
Many of his followers joined the discussion, with some saying they were party supporters who also wanted clearer explanations.
The People’s Party recruited members and accepted donations at Stadium One in Chula Soi 5 in Bangkok on August 10, 2024.
Last month, the party maintained that the personal data it collected from members — including laser ID numbers — was securely stored.
Laser ID numbers are the alphanumeric codes printed on the back of Thai national identification cards. Cardholders are advised to keep them confidential because they can be used to verify identities and conduct important transactions.
