Cyber Incident Victim: 724.co.th
Date:
Jul 2022
Location:
Thailand
Summary
The insurance marketplace 724.co.th suffered a cyberattack by the threat actor DESORDEN, resulting in the theft of 1.75 terabytes of sensitive customer documents, including scanned identification copies and loan records. The stolen data was publicly posted on a hacking forum, amplifying exposure risks. The breach occurred shortly after DESORDEN compromised its parent company, Srikrung Broker, and coincided with website accessibility issues, as connection attempts to 724.co.th’s domain timed out. This incident formed part of a broader campaign targeting Thai entities, with DESORDEN leveraging hacking forums to disclose breaches and distribute stolen data, though the group denied using ransomware in most operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 28, 2022, or shortly before, the threat actor group DESORDEN breached 724.co.th, an insurance marketplace operating under Srikrung Broker Co., Ltd., a publicly listed Thai insurance brokerage firm. This attack occurred three days after DESORDEN compromised Srikrung Broker’s parent company, indicating a pattern of sequential targeting within the same corporate structure. DESORDEN publicly claimed the 724.co.th breach involved the exfiltration of 1.75 terabytes of sensitive customer data, including scanned identification documents and loan-related records. The group listed this data for sale on a hacking forum, accompanied by a free sample to validate their claim. Attempts by independent cybersecurity outlet DataBreaches.net to access 724.co.th’s website following the breach announcement resulted in connection timeouts, suggesting potential service disruption or deliberate takedown. DESORDEN did not specify whether ransomware or encryption was deployed during this incident, consistent with their stated preference for data theft over encryption-based extortion in most operations.
The breach formed part of a broader wave of cyberattacks against Thai entities that week, with DESORDEN simultaneously targeting three other organizations: Frasers Property Thailand, Union Auction Public Company Limited, and Srikrung Broker itself. DESORDEN’s attack on Srikrung Broker reportedly extracted 369 gigabytes of data containing 3.28 million customer records and 462,980 agent records prior to the 724.co.th compromise. No public statements from 724.co.th or Srikrung Broker regarding breach notifications, remediation efforts, or stakeholder communications were identified at the time of reporting. DataBreaches.net’s attempts to contact affected organizations yielded minimal responses, with emails to Union Auction bouncing undelivered and no immediate reply from Frasers Property. The exposure of personally identifiable information and financial documents at 724.co.th created significant risks of identity theft and financial fraud for impacted customers. This incident occurred amid heightened cybercriminal activity targeting Thailand, with multiple threat actors including ALTDOS and unnamed forum vendors offering datasets allegedly containing millions of Thai citizens’ records from healthcare institutions, government agencies, and educational organizations throughout 2022.