Cyber Incident Victim: The Icon Group
Date:
Oct 2022
Location:
Thailand
Summary
A Thailand-based company, The Icon Group, experienced a cyberattack by the DESORDEN group, resulting in the theft of 161 GB of databases and files containing sensitive customer and corporate information. The compromised data included personal details such as full names, national ID numbers, bank account information, addresses, contact details, and approximately 70,000 sets of KYC documentation, including copies of identity cards and bank books. DESORDEN claimed prolonged unauthorized access to the organization's systems and stated the victim did not respond to communications regarding the breach. The attackers publicly disclosed samples of stolen data, though the company did not publicly acknowledge the incident or confirm notification efforts to regulators or affected individuals at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 2, 2022, the DESORDEN hacking group publicly disclosed a cyberattack against Thailand’s The Icon Group via a post on a popular hacking forum. DESORDEN claimed to have exfiltrated approximately 161 GB of databases and files containing sensitive customer and corporate data. The compromised customer information included full names, national ID card numbers, bank account numbers, physical addresses, phone numbers, and email addresses for 264,128 individuals. Additionally, attackers acquired Know Your Customer (KYC) documentation such as photocopies of identity cards, bank book pages, and other verification records containing facial images and personal identifiers. DESORDEN clarified they possessed approximately 70,000 sets of KYC images rather than complete coverage of all affected customers. The group also stated they stole corporate financial data and internal company files. DESORDEN provided samples of leaked .csv database files and redacted KYC images as proof of compromise, though some image files were publicly exposed.
DESORDEN asserted initial network access occurred around July 2022 and maintained they retained persistent access to The Icon Group’s systems at the time of disclosure. The group reported no successful communication with The Icon Group regarding the breach prior to publicizing their claims. DataBreaches.net independently contacted The Icon Group for verification and details regarding regulatory notifications or customer disclosures but received no response. The absence of confirmed containment measures or public statements from The Icon Group left unresolved questions about the duration of unauthorized access, potential ongoing risks, and organizational response actions. The exposure of national ID copies, financial identifiers, and biometric data (via KYC images) created significant identity theft and financial fraud risks for impacted individuals, while corporate data theft introduced operational and reputational consequences for the organization.