Five data breach incidents in Thailand in 2024: pdpc imposes thb 15 million in fines

Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”), which came into full effect on 1 June 2022 after a three-year delay, marks the country's first comprehensive personal data protection legislation. The PDPA has significantly raised public and business awareness around personal data protection. Since then, the Personal Data Protection Committee (“PDPC”) has been actively exercising its enforcement powers.

On 1 August 2025, the PDPC announced at a press conference that during the 2024 fiscal year, it had issued eight administrative orders imposing fines in five cases of non-compliance involving both public and private entities. These fines totaled approximately THB 15 million. Since the PDPA came into effect, there have been six cases resulting in nine administrative fine orders, with total penalties around THB 21.5 million, signaling a clear shift from compliance preparation to active regulatory enforcement.

The key summaries of the five cases in 2024, as announced by the PDPC (one involving a government agency and the others in the private sector), are as follows.

Case 1: A government agency’s web application was compromised, leading to the leak of personal data belonging to 200,000 individuals, which was later sold on the dark web. The software had been developed by an external software developer. It was found in this case that there was lack of appropriate security measures, weak system passwords, no risk assessment or ongoing review of security measures, and the agency did not execute data processing agreement with the software developer. Both the government agency, as the Data Controller, and the software developer, as the Data Processor, were each fined THB 153,120 (approximately USD 4,700).

Case 2: 1,000 patient medical records of a private hospital were leaked out and they were found reused as paper wrappers for Thai-style pancakes (Tokyo snacks). The images of medical records being used as food wrappers were posted on social media and spread out quickly then discovered by the PDPC. An investigation revealed that the hospital had engaged a contractor to destroy the medical records. However, the contractor stored the documents at their own premises and did not follow the agreed destruction procedure. In addition, the individual contractor failed to notify the hospital of the breach and the leak of documents. On the hospital’s side, they also failed to properly oversee, monitor, or audit the destruction process of the contractor to ensure it met required standards. The hospital was fined THB 1,210,000 (approx. USD 3,700), while the individual contractor was fined THB 16,940 (approx. USD 520).

Case 3: A major IT product retailer in Thailand had faced the data leak incidents where significant amount of the personal data of customers was disclosed and this breach exposed the data to criminal call center gangs. The company did not provide remedial action for the affected data subjects within the specified timeframe, and it was fined THB 7,000,000 (approx. USD 214,700) for three charges, i.e. no appointment of a data protection officer, lack of appropriate security measures and failure to report data breach incidents to the Office of the PDPC as required by the PDPA.

Case 4: A cosmetics company failed to implement adequate security measures as required under the PDPA, resulting in the leakage of personal data to criminal call center gangs. The company also failed to notify the Office of the PDPC about the data breach within the specified timeframe. As a result, it was fined THB 2,500,000 (approximately USD 76,675).

Case 5: The reservation system of a collectible toy company was compromised, resulting in the unauthorized alteration of approximately 200,000 personal data records. Although the company responded promptly by providing remedies to the affected data subjects, it was fined THB 500,000 (approximately USD 15,340) for failing to implement appropriate security measures. The system service provider, acting as a data processor, received a significantly higher fine of THB 3,000,000 (approximately USD 92,000) due to its failure to take timely action to contain the incident, notify the data controller, and provide remedial measures to the affected individuals.

The recent enforcement actions clearly indicate that the PDPC has shifted from raising awareness to actively enforcing the PDPA. These cases serve as a strong reminder for organizations handling personal data in Thailand to reassess their data protection practices and strengthen internal safeguards, not only to comply with legal requirements and reduce the risk of penalties, but also to build and maintain trust, preserve business reputation, and, most importantly, protect individuals’ rights.

Register now for your free, tailored, daily legal newsfeed service.

Five data breach incidents in Thailand in 2024: pdpc imposes thb 15 million in fines

Filed under

Popular articles from this firm

Trademark Enforcement in Thailand: Strategic Tools for Combating Infringement in the Digital Age *

Understanding trademark licensing in Thailand: a legal overview *

Latest update on draft amendments to the Copyright Act of Thailand *

Geographical Indications and Thailand’s Soft Power Strategy: A New Era of Protection and Promotion *

Patent prosecution in Thailand: timelines, challenges, and practical strategies *

Professional development

Related practical resources PRO

Related research hubs

Thailand

IT & Data Protection

Compliance Management