Heaptalk, Jakarta — A total of six million tax identification number (nomor pokok wajib pajak, NPWP) data were allegedly leaked and sold on the dark web forum Breach Forum. Several relevant stakeholders responded to this incident, including the Ministry of Kominfo.
The leaked data included the names of President Jokowi and his two children, Gibran Rakabuming Raka and Kaesang Pangarep. Jokowi stated that this data leak incident must be immediately addressed.
“Yesterday, I mentioned that mitigation needs to be done as quickly as possible. Many countries experience similar issues. What is most important is fast mitigation and ensuring such incidents don’t happen again,” said Jokowi during his visit to Dukuh Kupang Market, Surabaya, as reported on the Presidential Secretariat’s YouTube channel, Friday (09/20).
Wijaya Kusuma Wardhana, Special Staff for Social, Economic, and Cultural Affairs at the Ministry of Communication and Informatics (Kominfo), stated that the leaked NPWP data was old. “We found that the data was old, previously hacked from a state-owned enterprise (SOE). Kominfo has coordinated with the Directorate General of Taxes (DJP) of the Ministry of Finance to anticipate the impact,” said Wijaya on Sunday (09/22).
Wijaya also emphasized that Kominfo, as the regulator, continues to enforce regulations related to personal data protection. He urged all governmental and private institutions that manage and control data to strengthen their cybersecurity by forming and empowering Computer Security Incident Response Teams (CSIRT). “CSIRT needs to manage, identify, protect, detect, and immediately respond to potential network security threats. Technically, this will be facilitated by the National Cyber and Crypto Agency (BSSN),” he added.
Meanwhile, Prabu Revolusi, Director General of Public Information and Communication (Dirjen IKP) at Ministry of Kominfo, added that according to Law Number 27 of 2022 on Personal Data Protection, criminal penalties are stipulated for anyone who intentionally and unlawfully discloses personal data. He said, “We will arrest them and impose penalties to deter such actions.”
Those who disclose personal data that does not belong to them could face up to four years in prison or a fine of up to Rp4 billion. Meanwhile, those who use personal data that does not belong to them could face up to five years in prison or a fine of up to Rp5 billion. “Law enforcement agencies will carry out the criminal sanctions process under the Personal Data Protection Law following applicable laws and regulations,” Prabu concluded.