[Indonesia] Government confirms data breach but disputes extent

[Indonesia] Government confirms data breach but disputes extent
24 May 2021

Indonesia's Communication and Information Ministry has confirmed a social security data leak but insisted that the breach is far smaller in scale than the hacker claimed, The Straits Times reports.

Earlier this month, a user with the handle Kotz posted samples of data on an online forum frequented by hackers. The data included names, citizenship identity numbers, residential addresses and phone numbers of one million Indonesian citizens.

Kotz claimed they had access to data on the entire population of more than 270 million people.

In a May 21 statement, a spokesman for the Communication and Information Ministry said that it was probing 100,002 samples; far fewer than claimed.

Additionally, the spokesman, Mr Dedy Permadi, said the data - such as card numbers, family information and payment status - was allegedly "identical" to that held by the Healthcare and Social Security Agency, BPJS Kesehatan, which runs Indonesia's universal healthcare programme.

The spokesman said authorities have taken steps to prevent further distribution of the stolen data.

"The Communication and Information Ministry has taken anticipatory measures to avert the spread of the data further by cutting off access to the links to download the personal data," he said, adding that two out of three website links have been taken down.

BPJS Kesehatan has deployed a special team to track and find the source of the leak. The agency insisted that it has a "strict and layered data security system" to maintain the confidentiality of data.

The leak came to light as Indonesia, the world's fourth-most populous nation, pushes ahead with a massive COVID-19 vaccination drive for its population. As of May 21, the pandemic had left more than 49,000 dead and 1.76 million infected in the country.

The programme depends largely on online registrations.

Cyber security expert Alfons Tanujaya believes the hack was unlikely to be very sophisticated, as the attacker used "basic" methods like SQL injection, which involves malicious code.

Speaking to The Straits Times Mr Alfons said, "Judging from the quantity of the leaked data, the data protection is likely still too weak."

He warned that although the leaked data did not include medical records, contact details and other personal data could still potentially be misused; to produce fake ID cards, set up bank accounts and apply for loans.

"The (latest) case is the tip of the iceberg from (Indonesia's) messy data management," Mr Alfons said.

Cases of data breach have been surging in Indonesia, home to a huge number of tech-savvy internet users.

In May 2020, a hacker on RaidForums offered the personal data of 15 million Tokopedia users; Indonesia's biggest e-commerce platform, which recently merged with ride-hailing company Gojek. A month later the data of 230,000 people taking COVID-19 tests sold on the same platform. (Links via original reporting)

Indonesia's Parliament has put the Personal Data Protection Bill on its priority list for deliberation again this year but it has yet to be debated.

Mr Dedy called for electronic system providers to report instances of hacking to the authorities at the first opportunity.

"Apart from that, the electronic system providers are also obliged to convey to the owners of the personal data in written statements about their failure to protect the personal data," he said in the statement.



Source: The Straits Times

(Links via original reporting)

Indonesia's Communication and Information Ministry has confirmed a social security data leak but insisted that the breach is far smaller in scale than the hacker claimed, The Straits Times reports.

Earlier this month, a user with the handle Kotz posted samples of data on an online forum frequented by hackers. The data included names, citizenship identity numbers, residential addresses and phone numbers of one million Indonesian citizens.

Kotz claimed they had access to data on the entire population of more than 270 million people.

In a May 21 statement, a spokesman for the Communication and Information Ministry said that it was probing 100,002 samples; far fewer than claimed.

Additionally, the spokesman, Mr Dedy Permadi, said the data - such as card numbers, family information and payment status - was allegedly "identical" to that held by the Healthcare and Social Security Agency, BPJS Kesehatan, which runs Indonesia's universal healthcare programme.

The spokesman said authorities have taken steps to prevent further distribution of the stolen data.

"The Communication and Information Ministry has taken anticipatory measures to avert the spread of the data further by cutting off access to the links to download the personal data," he said, adding that two out of three website links have been taken down.

BPJS Kesehatan has deployed a special team to track and find the source of the leak. The agency insisted that it has a "strict and layered data security system" to maintain the confidentiality of data.

The leak came to light as Indonesia, the world's fourth-most populous nation, pushes ahead with a massive COVID-19 vaccination drive for its population. As of May 21, the pandemic had left more than 49,000 dead and 1.76 million infected in the country.

The programme depends largely on online registrations.

Cyber security expert Alfons Tanujaya believes the hack was unlikely to be very sophisticated, as the attacker used "basic" methods like SQL injection, which involves malicious code.

Speaking to The Straits Times Mr Alfons said, "Judging from the quantity of the leaked data, the data protection is likely still too weak."

He warned that although the leaked data did not include medical records, contact details and other personal data could still potentially be misused; to produce fake ID cards, set up bank accounts and apply for loans.

"The (latest) case is the tip of the iceberg from (Indonesia's) messy data management," Mr Alfons said.

Cases of data breach have been surging in Indonesia, home to a huge number of tech-savvy internet users.

In May 2020, a hacker on RaidForums offered the personal data of 15 million Tokopedia users; Indonesia's biggest e-commerce platform, which recently merged with ride-hailing company Gojek. A month later the data of 230,000 people taking COVID-19 tests sold on the same platform. (Links via original reporting)

Indonesia's Parliament has put the Personal Data Protection Bill on its priority list for deliberation again this year but it has yet to be debated.

Mr Dedy called for electronic system providers to report instances of hacking to the authorities at the first opportunity.

"Apart from that, the electronic system providers are also obliged to convey to the owners of the personal data in written statements about their failure to protect the personal data," he said in the statement.



Source: The Straits Times

(Links via original reporting)

Leave a Reply

All blog comments are checked prior to publishing