By: Ian Johnston, Sorawat Wongkaweepairot and Nuttida Doungwirote

At a glance

  • A mass-email service provider was compromised and exploited to send phishing emails to more than 1 million users.
  • The Personal Data Protection Commission (PDPC) took immediate action to investigate the issue.
  • The investigation revealed that the breach was caused by weak One-Time Password (OTP) controls, i.e., the OTP was valid for up to 24 hours, an unusually long period compared to standard best practices, with no limits on failed attempts.
  • The PDPC did not impose penalties on the service provider. Instead, the PDPC provided guidance on how to respond to the incident and ordered the company to submit further information for the PDPC’s review.

What happened?

In November 2025, a mass-email service provider system was compromised and exploited to send phishing emails to more than 1 million users. The PDPC investigated and found that the attackers gained control of the mass-email service provider through brute force guessing of OTPs , then distributed fraudulent investment links disguised as legitimate corporate communications.

How the attackers gained access

The breach stemmed from a critical flaw in the mass-email service’s authentication process – specifically, its use of a six-digit OTP for client login. While OTPs are widely used for security, the company implemented them in a way that exposed customers to significant risk:

  • The OTP was valid for up to 24 hours, an unusually long period compared to standard best practices.
  • The system did not enforce limits on failed attempts, allowing attackers to try unlimited combinations without triggering security blocks.

These design flaws enabled attackers to perform brute-force attacks, guessing OTP combinations until the correct one was found. Once authenticated, the attackers gained direct access to the mass-email platform, allowing them to assume control of email-sending domains to distribute phishing emails in the companies’ names, and redirect recipients to fraudulent websites designed to steal sensitive information.

Although the affected companies’ internal systems remained secure, the compromise of the mass-email service meant that personal data stored within that service, such as email recipient lists, may have been exposed to misuse.

ETDA Guidance on OTP Security

The Electronic Transactions Development Agency (ETDA) has provided national guidelines on secure authentication and digital identity management. According to ETDA’s Digital Identity Guideline:

  • OTP systems should use short-lived codes, ideally refreshing every 1-2 minutes.
  • Authentication mechanisms must include limits on failed attempts to prevent brute-force attacks.
  • OTPs must be single-use, and communications channels should be encrypted.

These recommendations represent Thailand’s national expectations for secure login practices and are highly relevant when assessing whether a system meets the PDPA requirement for “appropriate security measures.”

PDPA Compliance

The incident raises important legal implications under the Thai Personal Data Protection Act (PDPA), concerning the responsibilities of data processors.

Article 40(2) of the PDPA requires that data processors, in this case, the mass-email service provider, must implement appropriate technical and organisational security measures to prevent unlawful access, use, alteration, or disclosure of personal data.

This incident suggests that the service provider failed to implement sufficient security measures. The OTP’s long validity period and lack of attempt limitations was not in accordance with ETDA’s recommended guidelines and significantly increased the risk of unauthorised access.

However, the PDPC did not impose penalties on the service provider in this case. Rather, they advised the provider on incident response, requested further information from the provider including to follow up with the response measures, and warned the public not to click on the links in suspicious email.

While this may seem unusually lenient, we consider this is a reflection of the relatively recent PDPA enforcement regime such that it is unlikely to be repeated in future years.

What This Means for Companies in Thailand

This incident demonstrates that data security is only as strong as the weakest link in the processing chain. Under the PDPA, organisations remain fully accountable for third-party service providers who process personal data on their behalf. Even when a company’s internal systems remain secure, vulnerabilities in external platforms can result in data exposure, reputational damage, and potential legal liability.

Moreover, when issues do arise in the future, they can now expect the PDPC to become involved and potentially invoke penalties against the companies involved.

Key Takeaways

Vendor Due Diligence

Companies must assess third-party processors’ security controls before engagement, particularly authentication mechanisms. Verify that providers comply with ETDA’s Digital Identity Guidelines-short-lived OTPs (1-2 minutes), failed attempt limits, and encrypted communication channels.

Contractual Protection

Data processing agreements should explicitly require security standards aligned with Article 40 of the PDPA, including audit rights and breach notification obligations.

Don’t Assume Leniency

While the PDPC provided guidance rather than penalties in this case, companies should not expect similar treatment for future incidents. Robust incident response plans covering both internal and processor-related breaches are essential.

Key Contacts & Updates

For insights or questions about cybersecurity, data protection, and dispute developments across Thailand, please feel free to reach out to our authors.

Wotton Kearney’s Cyber, Privacy and Technology team works across APAC and can support clients across the full spectrum of issues, including incident response, privacy compliance, advisory work and dispute resolution. Find out more here.

To receive future updates, please complete the form below.