Oppo ordered to investigate alleged data breach in Thailand

Chinese electronics giant Oppo has been directed by Thailand’s Personal Data Protection Commission (PDPC) to urgently investigate and assess risks following allegations of a massive data breach. The incident came to light after a dark web post advertised 165 gigabytes of data, purportedly belonging to Oppo Thailand, for sale at US$20,000 (approximately 680,000 baht). The alleged data includes sensitive customer information, employee records, and internal operational data.

The PDPC issued an alert to Oppo, requiring the company to submit a detailed report within 72 hours. The report must confirm whether a breach occurred and outline measures to address and mitigate potential harm. "If it is found that any individual or entity has violated the Personal Data Protection Act or caused harm, the PDPC will investigate, gather evidence, and report the findings to the expert committee for further administrative consideration," stated the commission.

The investigation is being led by the PDPC’s specialized Eagle Eye unit, tasked with monitoring and analyzing potential data breaches. The unit employs advanced technology to scour search engines, the dark web, and social media platforms for evidence of personal data violations. With the capability to monitor approximately 100 websites daily, the Eagle Eye unit works closely with the National Cyber Security Committee and the Technology Crime Suppression Division to enforce relevant legislation.

The leaked data was reportedly advertised on January 23, 2025, by a dark web user under the alias "SSL_Dragon." The sale post included screenshots suggesting the data contained customer and employee records and system databases. This development follows a December 13, 2024, police complaint filed by Oppo Thailand’s distributor, Poseify Group Co. Ltd., which acknowledged a breach and notified the PDPC Eagle Eye unit.

In a statement, Poseify Group pledged full cooperation with the authorities and assured stakeholders its commitment to resolving the issue. "We are working closely with PDPC Eagle Eye and other relevant authorities to expedite the investigation and safeguard affected parties’ data," the company said. It also promised to pursue legal action against those responsible if evidence confirms a breach.

Poseify Group clarified that this incident is unrelated to a previous loan application controversy. However, critical questions remain unanswered, such as the scope of the breach and the number of affected individuals.

The PDPC has urged Oppo Thailand users to stay vigilant and take precautionary measures. Users are advised to monitor their accounts for unusual activity, change passwords for Oppo accounts and other services using the same credentials, and remain cautious of phishing attempts via emails or messages.