Cyber Incident Victim: Thailand's Department of Medical Sciences
Date:
Aug 2022
Location:
Thailand
Summary
A breach at Thailand’s Department of Medical Sciences exposed sensitive COVID-19 patient data, including names, contact details, medical history, and healthcare identifiers, due to an SQL injection vulnerability in a government web application used for online surveys. The stolen information was listed for sale on dark web marketplaces and a Telegram channel, with attackers accessing at least 5,151 records and potentially compromising up to 15,000. The incident underscores the targeting of digital healthcare systems by cybercriminals seeking personal data for identity theft, mirroring similar attacks in other countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2022, cybersecurity firm Resecurity identified a breach involving Thailand’s Department of Medical Sciences, uncovering unauthorized access to COVID-19 patient data. The incident, detected around August 18 and formally reported to Thai CERT by August 25, stemmed from an SQL injection vulnerability in the authorization module of a government web application (https://longcovidcheckin.dms.go.th) used for online COVID-19 symptom surveys. Attackers exploited this flaw to steal personally identifiable information (PII) including full names, sex, age, contact details, medical history, and local healthcare identifiers. Resecurity confirmed the breach through samples and human intelligence (HUMINT) gathered by its threat intelligence unit, which revealed compromised records being actively marketed on multiple Dark Web marketplaces and a dedicated Telegram channel operated by the threat actors. Initial analysis indicated access to 5,151 detailed records at the time of discovery, with potential exposure reaching 15,000 individuals. The attackers’ access enabled illegal management of user accounts and records within the portal, along with real-time monitoring of new data submissions, amplifying privacy risks for affected citizens.
The breach exposed systemic vulnerabilities in Thailand’s digital healthcare infrastructure, which had become a high-value target due to widespread digitization of medical services. Resecurity promptly shared technical findings and compromised data samples with Thai authorities to facilitate containment and legal action under local privacy laws. Forensic evidence confirmed attackers leveraged insecure parameter filtering in the web application, a common attack vector per OWASP Top 10 guidelines. While no direct financial or operational disruptions were reported, the incident heightened concerns about medical identity theft, given cybercriminals’ historical misuse of such data across Southeast Asia. Parallel breaches in Indonesia and India—involving over 230,000 and undisclosed numbers of COVID-19 patient records respectively—demonstrated regional targeting patterns. Resecurity’s disclosure emphasized the operational confirmation of the vulnerability and its remediation recommendations but did not detail subsequent actions by Thai authorities beyond initial notifications. The incident underscored persistent threats to public health data systems amid increasing Dark Web commodification of sensitive medical information.