Cyber Incident Victim: Better Way Thailand Company Limited
Date:
Jul 2022
Location:
Thailand
Summary
A cyberattack by the Desorden group compromised Better Way Thailand Company Limited, a distributor of personal care products under the Saha Group, resulting in the theft of 180 GB of data including sensitive personal information of over 20 million individuals. The breach affected multiple brands and involved exfiltrating customer, employee, and financial records containing ID numbers, birthdates, addresses, and contact details, while also deleting databases from the company’s servers. Desorden exploited unpatched vulnerabilities to access 20 servers and threatened to leak or sell the data after receiving no response to their demands, potentially causing significant operational disruption if backups were unavailable.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 8, 2022, the hacker group Desorden breached systems belonging to Better Way Thailand Company Limited, a distributor of personal care and cosmetic products under Thailand’s Saha Group conglomerate. The attack targeted servers supporting multiple brands, including Mistine, Flormar, Fairs, Friday, MYSS, Yupin, and NingNong. Desorden claimed to have exploited unpatched vulnerabilities to gain access to 20 servers, exfiltrating 180 GB of data and 60 GB of files. The stolen data included customer, sales representative, employee, supplier, export, e-commerce, corporate, HR, and financial records. Over 20 million personal identifiable records were compromised, containing Thai national ID card numbers, birthdates, names, addresses, and contact details. Desorden asserted the scale represented nearly one-third of Thailand’s population, though duplication across datasets was noted as a potential factor in the total.
Desorden contacted Mistine’s management with evidence of the breach and demands starting July 8 but received no response. Following this lack of engagement, the group informed Mistine via an MP4 file that they had deleted all databases from the compromised servers after downloading copies, raising operational continuity concerns if backups were unavailable. Desorden provided DataBreaches.net with samples, including employee spreadsheets containing names, passwords, addresses, and mobile numbers, and indicated intent to leak and sell the data via alternative forums following the seizure of Raid Forums. DataBreaches.net attempted to contact Mistine’s Data Protection Officer using the email in their privacy policy, which bounced, and subsequently emailed seven management addresses from a leaked CSV file, including the CEO, but received no reply. The incident exposed systemic vulnerabilities in the company’s patch management and incident response processes, with Desorden’s historical accuracy in prior breach claims lending credibility to their assertions despite the absence of independent verification from Mistine or Thai authorities.