Cybersecurity and Customer Privacy Protection

Information Technology is advancing at an unprecedented rate, revolutionizing both personal and corporate communication. This is not only accelerating online information exchanges and transactions across the globe, but also exposing service users to a higher risk of cybercrime. Customers are understandably concerned about the security of their data and systems. To cope with these challenges and opportunities, AIS has upgraded its IT systems and personnel to deal with a range of cyberthreats, to benefit users of AIS’ mobile networks and digital services, conducted alongside the protection and security of customers’ personal data according to their statutory rights.

Management Approach

AIS has determined policies to maintain cyber-security and protect personal data, to supervise processes and management systems for every function throughout the company. Regular internal inspections are conducted to be confident that management and best practice concerning personal data protection, and maintenance of cyber-security, are compliant with the company’s standards and frameworks.

Privacy Protection

Measures have been stipulated to protect privacy for customer data, which includes limiting access to sensitive data. AIS also incorporates the Privacy by Design and Privacy by Default principles into its services and products as necessary, setting specifications for the data flow process, as well as promoting awareness, knowledge and understanding on customer data protection to all personnel and partners. We also established a system and enhancement of processes to customer requests as follows:

For the management of data requests, the company provides customer data to government agencies in compliance with the law, and fairly in consideration of data subjects’ human rights as defined by the law. The Process for Evaluating and Responding to Law Enforcement or Government Data Requests is as follows:

Cybersecurity

For cyber security, AIS has the infrastructure, systems, and protocols to ensure the regular management, testing, and monitoring of cyber security incidents. Our policies and guidelines related to cyber security are developed and reviewed regularly in accordance with the best practices and pertinent regulatory requirements.

NIST Cyber Security Framework

AIS uses the "NIST Cyber Security Framework" as a guideline for designing cyber security strategies and processes, which include the following steps:

Regarding the cyberattack response, protocol and escalation process, AIS applies "NIST's Cyber Incident Response Framework" into day-to-day routine, which involves the following incident handling steps:

AIS has won various certifications reflecting its determination to attain and uphold the highest personal data protection standards as follows:

Performance Table

Topic	Units	2019	2020	2021	2022
Personal data protection
Number of personal data breach and data loss complaints
Complaints from general persons or agencies ¹	Number of cases	124	560	7	7
Complaints from regulatory agencies	Number of cases	47	23	20	11
Data leakage, theft, or loss	Number of cases	0	0	0	2
Requests for customers’ personal data from public agencies with the power and duty ²	Number of cases	28,334	24,453	25,442	19,454
% of the total number of requests	%	-	92	70	91.45
Network
Average frequency of network failure	Units	0.05	0.07	0.18	0.07
Average length of network failure	Minutes	12	39	54	38

Remark :

¹ As the number and types of complaints received surged over the year 2022, only those determined to be well-founded were reported.
² AIS provides customers’ personal data to the public agencies granted the authority by law, namely the Court of Justice, the Royal Thai Police Headquarters, and the Anti-Money Laundering Office.