The personal data of more than 200 million Indonesians has allegedly been leaked and is currently being sold online, according to a post on an online forum frequented by hackers.
The issue was first raised in a tweet by Nuice Media, which included screengrabs of posts from a thread on RaidForums, where hackers leave posts related to database breaches and in some cases put the datasets up for sale. A user with the handle “kotz” claimed to have data of 279 million people, including deceased persons. Twenty million records include personal photos. KrASIA viewed a snapshot of the data, which includes national IDs, tax registration information, and mobile phone numbers. The hacker claims in the forum that the set also includes salary data.
This is the latest and largest data breach afflicting the country. In 2020 alone, numerous tech companies like Tokopedia, Bukalapak, and Cermati suffered breaches, and hackers posted the personal data of millions of users online. The country’s general elections commission (KPU) last year also reported that the personal information of more than 2 million voters was leaked and was accessible by the public.
Weak protection and regulations
“Most people don’t really care about personal data and privacy; many don’t even understand which areas are private,” said Wildan Aliviyarda, a cybersecurity analyst who serves as vice president and head of information security at Indosat Ooredoo. “For example, when we enter an office building as a guest, we have to register by scanning our ID card and photo. This means lots of digital assets are scattered in many places, and they are easy to copy, which increases the risk.”
He added that it doesn’t take long for hackers to break into a system or a server, especially if they have weak security. “Since there are many parties who keep our digital assets, hackers just need to find the weakest [system]. For instance, the KPU has published voters’ data without masking them before, making it prone to be exposed,” said Aliviyarda.
These incidents have caught the attention of the authorities. Tokopedia was summoned by the IT Ministry and National Cyber and Encryption Agency to discuss how external parties were able to gain access to 91 million users’ records shortly after the news broke on social media. The government also said that it would investigate the KPU case. However, there have not been any updates so far.
“It’s not surprising that cases like this disappear without any follow-up, because it is not clear who is prosecuting and who is being prosecuted. Data breaches are different from other criminal cases,” Aliviyarda added.
The government is reviewing a draft law on personal data protection, which is currently being discussed in the house of representatives. The slow progress shows that data protection doesn’t seem to be a priority for the government right now. “Since the majority of people are not aware of the importance of data protection, there is no urgent push for regulators,” Aliviyarda said.