Indonesian e-commerce unicorn Tokopedia has released a standalone peer-to-peer fintech lending platform called Dhanapala. The app is already available for Android users even though the company has made no public announcement of its launch.
Dhanapala’s service went online while Tokopedia and Indonesian government entities are still investigating a data leak that exposed the personal information of up to 91 million of its users, including their names, birth dates, genders, e-mail addresses, and phone numbers. The leak was exposed when the information of 15 million of those users was published online by a hacker or hacker group in May. The hacker or hackers, Whysodank, sold the block of information for USD 5,000 on a dark web marketplace.
This leads to a valid question: Given the recent lack of security in Tokopedia’s infrastructure and an ongoing investigation related to the incident, can Tokopedia build a safe, reliable fintech product without risking exposure of its users’ financial assets and personal data?
Shortly after the breach was made public, Tokopedia’s CEO, William Tanuwijaya said the company was cooperating with government agencies, including the Ministry of Communication and Information Technology and the National Cyber and Crypto Agency (BSSN), in an investigation. The company was sued by Indonesia’s consumer association; the first hearing was in June. Then, in July, three Tokopedia employees provided testimony for the case, according to local media reports.
“The purpose of the investigation is to find out who are the perpetrators and how did they enter the company’s system. I think users and the public have the right to question the clarity of the investigation that has been going on for about four months because it involves their data,” Teguh Aprianto, founder of Ethical Hacker Indonesia and cybersecurity consultant, said to KrASIA. He also said that the investigation should not take this long since Tokopedia is cooperating with the IT ministry and BSSN.
“Look at Twitter, for example. The FBI arrested the hackers behind Twitter’s security breach within a month. I believe Tokopedia has the same abilities [to identify the parties involved in the breach], especially since it is assisted by large institutions,” Aprianto said.
The white hat hacker pointed out that Dhanapala’s status as an affiliate of Tokopedia may mean it carries the same data security issues.
“Many people are still not aware of the dangers of data violation. Indonesia saw many data breach cases this year, and we’re starting to see new unsettling phenomena in society. For instance, there have been some reports lately about people receiving packages they did not order from unknown senders. I think this is a result of that rampant data leak cases that have happened recently. Imagine if a stranger knows where you live, where you work, and how much money you make. This can lead to more serious fraud and problems later on,” Aprianto said.
“What the public knows from this case, for now, is that Tokopedia’s system has been compromised and therefore is not safe. There is no guarantee that its fintech platform wouldn’t experience the same thing. That is why I think Tokopedia should publish the results or updates of its investigation to regain public’s trust, especially since the data on fintech platforms is crucial—and it can be fatal if the data is leaked to irresponsible parties.”
Tokopedia did not respond to KrASIA’s request for comments regarding the investigation into its data security.
Dhanapala’s P2P lending service is licensed by Indonesia’s financial authority. It acquired the permit in August 2019, according to Dhanapala’s official website, nine months before Whysodank posted the personal information of Tokopedia’s users online.
“Dhanapala . . . provides micro, small, and medium enterprises (MSMEs) with access to financial services, especially working capital to develop their businesses and increase financial inclusion in Indonesia,” said Nuraini Razak, vice president of corporate communications at Tokopedia and a commissioner at Dhanapala, in a written statement received by KrASIA.
However, she did not elaborate further on the relation between Dhanapala and Tokopedia, or explain why Dhanapala is a standalone app.
Gray areas in fintech data protection
In early August, the personal records of around 890,000 users from fintech platform Kredit Plus were reportedly stolen and sold on the dark web. The information included users’ names, current home addresses, employment data, and family registries. Kredit Plus is one of the earliest entrants in Indonesia’s fintech sector. It provides multifinance loans and, like Dhanapala, is licensed by the OJK.
Data hacks are a scourge for any tech company, and the threat isn’t going away any time soon. In Indonesia, cybersecurity regulation is fairly weak and has not kept pace with what hackers can do, according to Pratama Persada, a cybersecurity analyst at the Communication and Information System Security Research Center (CISSReC) in Jakarta. OJK’s regulations cover business activities, but does not oversee the technical details of user data protection.
This means some fintech firms are not dedicating sufficient resources to their security infrastructure. “For instance, from the recent data leak cases, we see that companies only encrypted users’ passwords, while other personal data protection is not optimized,” Persada said.
Both Persada and Aprianto agreed that Indonesia should follow Europe’s General Data Protection Regulation, which implements severe punishments to companies for lax user privacy protection. “We urge the government to pass the data protection law immediately, so there will be a sense of obligation for companies to step up their security systems. In Europe, companies that fail to protect customers’ data can be sued and fined up to 20 million euros, so they are very cautious in managing users’ data,” said Persada.