Heaptalk, Jakarta — Personal data of 1.3 billion Indonesians in the form of SIM card registrations have been leaked and sold online by a Breach Forums user under the name Bjorka (31/08). With a total capacity of 87 gigabytes (GB), Bjorka set a price of US$50,000 equivalent to Rp744 million with a payment method using the cryptocurrency bitcoin or Ethereum.
Attaching a 2 GB sample, the dataset includes several types of customer data such as telephone numbers, ID card numbers, cellular operator name information, and telephone number registration date. Bjorka updated his activities related to the data he had on Twitter while mentioning the data owner accounts although his accounts have been suspended several times. The action made the hacker become a trending topic for a few days.
Responding to the issue, the Directorate General of Informatics Applications coordinated with all cellular operators, the Directorate General of Population and Civil Registration (Ditjen Dukcapil), the National Cyber and Encryption Agency (BSSN), the Cyber Crime Police, and the Directorate General of Post and Information Technology to investigate the data breach.
According to the discussion with the related stakeholders, the Director General of Informatics Applications, Semuel Abrijani Pangerapan, stated that the structure of personal data leaked is not identical, although some files show similarities. He said, “Therefore, all operators as well as Dukcapil, we agreed to carry out a deeper investigation.”
Through the investigation, the government will find out where it came from, whose data was leaked, as well as how to mitigate and secure them. Cyber Crime Police is involved to follow up on the result and proceed it to law.
Leak confirmed as invalid data
Prior to that, the hacker also uploaded a dataset containing 26 million search histories of Indonesia Digital Home (IndiHome) users (20/08). The leak of personal data includes domain, platform, browser, URL, Google keyword, IP, screen resolution, user location, email, gender, name, and ID card number.
Telkom Indonesia, as the provider of IndiHome service, confirmed that there was no leakage of IndiHome customers’ personal data as circulated on the news. SVP Corporate Communication and Investor Relation Telkom, Ahmad Reza, delivered that Telkom ensured a 100% data breach was fabricated by parties or individuals.
“We store all customer data in an integrated cybersecurity system and are managed based on the applicable laws and regulations,” said Ahmad during the press conference (22/08). Moreover, Telkom does not have any system that stores browsing history adjoining with customer personal data.
VP Network/IT Strategy, Technology & Architecture Telkom, Rizal Akbar, said that the currently circulating data includes invalid IndiHome numbers, both from the number of digits and the numbering format. Thus the data claimed by the hacker containing IndiHome’s users are invalid.
Govt officials’ data also breached
Afterward, the hacker claimed to own data from the General Elections Commission (KPU) namely 105 million Indonesians’ personal information spanning identity numbers (NIK), family card (KK), place and date of birth, gender, address, and age (06/09). The dataset is sized 20 GB with a 2 GB sample to prove its authenticity.
Correspondence documents allegedly belonging to President Joko Widodo also have been leaked by the same account name at Breach Forums (09/09). The documents contain mailings sent to the President ranging from 2019—2021 including mailings from the Indonesian State Intelligence Agency (BIN).
Following that, several personal data of government officials are also leaked, spanning the Minister of Communication and Information Technology Johnny G. Plate, the Director General of Informatics Applications Semuel Abrijani Pangerapan, the Coordinating Minister for Maritime and Investment Affairs Luhut Binsar Pandjaitan, the House of Representatives Speaker Puan Maharani, and the Minister of State-Owned Enterprises Erick Thohir.
Emergency response team to tackle the personal data leak
After more than 3 weeks since the first attempt of the data breach, the Government made a compelling step by forming an emergency response team to investigate cyber attacks that have occurred in recent times. The measure is taken as instructed by President Joko Widodo during the meeting with the Minister of Communication and Information Technology, the Coordinating Minister for Political, Legal, and Security Affairs, and the Head of the National Cyber and Encryption Agency at Merdeka Palace Jakarta (12/09).
The Minister of Communication and Information Technology, Johnny G. Plate, delivered the team consisting of the National Cyber and Encryption Agency, the Ministry, and the State Intelligence Agency. “There needs to be an emergency response team related to maintaining data and good data governance in Indonesia, as well as to maintaining public trust,” said Johnny on a written statement.
In his conclusion, the Minister hopes that the Personal Data Protection (PDP) Bill will become a new legal umbrella to prevent personal data leak in Indonesia’s digital space.
