Following the leak of a dataset containing personal information of 279 million Indonesians, including deceased individuals, the government’s responsibility to protect the data of its citizens is now a crucial topic of discussion among the country’s internet users. The latest breach, which included what a hacker claimed was the ID numbers, salary information, and phone numbers of people in Indonesia, was of data stored on a server used by BPJS Kesehatan, the country’s healthcare and social security agency.
Every Indonesian citizen is registered with BPJS for its health insurance program, so the agency collects the private data of the entire population. At a press conference held on Tuesday, the president director of BPJS Kesehatan, Ali Ghufron, said his agency has made an effort to protect people’s data in accordance with Indonesia’s laws and regulations. BPJS is now working with the IT ministry, the National Cyber and Encryption Agency (BSSN), and the national police’s cybercrime unit to investigate how their records were acquired by malicious parties and shared on a public forum.
While the incident shocked people in Indonesia due to its vast scope—virtually every living person in the country could bear the brunt of this leak—it can be seen as the latest development in a series of hacks that took place in Indonesia, each affecting a larger portion of the population than the previous one. There were at least seven data breaches that occurred in 2020, including those involving large tech companies like Tokopedia and Bukalapak, loan provider KreditPlus, as well as Indonesia’s general elections commission (KPU).
“Institutions that manage sensitive data must meet specific standards relating to data security and management,” said Teguh Aprianto, a cybersecurity consultant and a founder of Ethical Hacker Indonesia. “The problem is many institutions fulfill those requirements for audit purposes only. After that, they don’t upgrade their security system or implement the best possible methods.”
To exploit a system, an attacker needs to gather relevant information, scan the target for weak points in its defenses, break into the system to gain access, maintain that access, and then clear their tracks. Depending on the specifications of the computers used by the hackers as well as the infrastructural complexity of the targeted system, this process may take hours or days, according to Aprianto.
“If the system has strong infrastructure, owners will be aware when there is unauthorized access to their system, so they can advise users to do mitigation. This is what Shopback did when it experienced a similar incident last year,” he said. BPJS’s unawareness of intruders points to the weakness of its cybersecurity measures. “On the internet, no system is 100% safe, but we can ensure its security up to 99% through periodic audits and updates so that we can be aware of dangers. Institutions that manage hundreds of millions of pieces of data must not be careless,” Aprianto added.
Snail-paced investigation
Responding to the latest breach, the IT Ministry blocked access to Raid Forums, where BPJS’s dataset was posted, as “a measure to anticipate the wider spread of personal data.” However, this action has drawn criticism. “Those who access Raid Forums are people who’re familiar enough with underground websites, and there are many other ways to open access that has been blocked,” said Aprianto.
Wildan Aliviyarda, vice president and head of information security at Indosat Ooredoo, shares a similar sentiment. “The government blocks Raid Forums to prevent the public from downloading the file and redistributing it. Unfortunately, digital footprints are very difficult to cover. That means once [the file] has spread, there is a definite possibility that it will be copied.”
While identifying hackers and meting out punishments through the judicial system may help those who have been wronged find justice, preventing cyberattacks is of prime importance. Routine cybersecurity audits are key to pinpointing vulnerabilities and developing plans of action to safeguard systems.
Based on its track record in handling the fallout of previous breaches, the Indonesian government tends to move slowly in its investigations. Tokopedia was summoned by government agencies about the platform’s data breach in May 2020. The authorities also said that they will investigate the general elections commission’s leak. However, there have been no updates a year after these cases came to light.
In fact, individuals who have called attention to poor cybersecurity in public systems have been viewed with suspicion. Last August, Aprianto noticed that a user on Raid Forums was claiming to offer access to modify personnel information in the Indonesian police force’s database. He tweeted his findings, and then was detained by police. “Three hours after the tweet, the police set up a press conference to deny the news without any prior investigation,” he said.
Accompanied by his lawyer, Aprianto offered an explanation to the police officers who were questioning him. “They complained that I didn’t immediately report the findings to the police, but instead published it via Twitter, which caused a stir in the media. I didn’t have any access to the police back then, and I felt that this case would get attention quickly if it was spread via social media.”
Aprianto’s problems intensified when several local media outlets reported that his tweets were a hoax, accompanied with a statement from the police. The IT ministry published a press release to make the same claim. Aprianto filed a complaint, and the ministry quietly deleted its statement, but offered no additional clarification to the media. “The authorities seem to focus more on defusing the news to calm the public, rather than investigating the causes of the leaking data itself,” the white hat said.
Responding to KrASIA’s request for comments, Tokopedia did not provide information about the investigation into how the data of 91 million of its users ended up on a public forum, but the company said it is making an effort to protect users’ data by implementing a layered security system. “We are also consistently collaborating with strategic partners—who specialize in cybersecurity—to continue to improve Tokopedia’s governance, procedures as well as anticipation and mitigation systems, in accordance with security standards in the industry,” said Nuraini Razak, Tokopedia’s VP of corporate communications.
Razak added that Gojek, Tokopedia, and GoTo Financial will operate as independent brands and companies within the GoTo Group. There will be no exchange of personal data or information that will conflict with Indonesia’s rules and regulations.
What are the consequences?
Indonesia’s digital economy has been growing rapidly in recent years. Around 196 million people in the country are now connected to the internet. However, many Indonesians have poor digital literacy and are not aware of the importance of data protection. Crucial data that is leaked, such as national ID numbers, cellphone numbers, and salary data, could be misused by nefarious parties. Criminals could use the data for identity theft or financial scams, like taking out online loans and saddling the victims with debt.
“Fraudsters could make fake ID cards, pretending that they have lost their phones, then report it to network provider or operator to get access to phone numbers. This access is crucial, considering we receive one-time passwords (OTPs) to reset email passwords and other accounts via SMS,” said Aliviyarda of Indosat Ooredoo.
He added that the risk of data theft existed before these cases emerged as many registration systems on digital platforms require each user to upload their national ID, as well as enter their cellphone number and date of birth, so this information is in many datasets. The solution may be a simple concept whose execution is challenging. “I hope we can have an official digital identity as an alternative to a national ID, where we can use it for verification on various sites and apps,” Aliviyarda said.
The government is currently reviewing a bill on personal data protection, but it is not clear when it may be passed into law. “Even though the law could give more assurance to the public, we need to limit the dissemination of personal information, especially sensitive data like ID and passport numbers, as well as phone numbers and dates of birth,” said Aliviyarda.