Weak personal data protection at government agencies and private enterprises has made their data vulnerable to exploitation, whether for economic motives or other reasons.
By
RINI KUSTIASIH/NIKOLAUS HARBOWO/DIAN DEWI PURNAMASARI
·5 minutes read
Public agencies and private enterprises are still vulnerable to data breaches. The data protection bill, which would regulate the usage and management of data, should have a protective function.
JAKARTA, KOMPAS — Most public agencies and private enterprises do not employ strong data protection measures. As a result, they are vulnerable to data breaches. A regulation to strengthen personal data protection that is currently being discussed by the House of Representatives could change this situation.
According to the 2020 National Cyber Security Index (NCSI), administered by the E-Governance Academy Foundation, Indonesia ranks 76 of the 100 countries surveyed for the index. The index measure a country’s readiness to mitigate cybersecurity threats and manage cyber incidents. For Indonesia, of the 12 indicators used in the index, personal data protection received the lowest score, 1 of 4 points.
This study also shows that Indonesia’s digital community is better equipped in cybersecurity.
Weak personal data protection at government agencies and private enterprises has made their data vulnerable to exploitation, whether for economic motives or other reasons.
Ethical Hacker Indonesia founder Teguh Aprianto said in Jakarta on Saturday that hackers only needed to exploit bugs in the system because of the weak data protection system. After finding the bugs, they could exploit those points and hijack the system.
“If they can do defacement, they can take any data that they want to, including personal data,” Teguh said.
According to Teguh, public agencies’ websites have the weakest data protection systems, making them vulnerable to data breaches. Even novice hackers could hijack public agencies’ websites.“Usually, hacking on public agencies’ websites is done by novice hackers because they need recognition from the community. The collected data will be posted in e-commerce website available exclusively for hackers such as Raidforums,” Teguh explained.
Other attacks on government agencies include hijacking, theft of in-ternet protocol (IP) and website addresses and special defacement.
Some of the collected data is shown on the Zone-h website. In March, 25 data hacks were published on the website. Most of the data breaches were obtained from the High Court, the Religious Court, as well as the Attorney General’s Office (AGO) website. Other attacks on government agencies include hijacking, theft of in-ternet protocol (IP) and website addresses and special defacement.
“Thousands of sources of data have been stolen from government agencies’ websites,” Teguh said.
In the private sector, he added, there were repeated incidents of data breaches. Start-ups typically began to think about data protection only after a data breach incident took place.
Improving governance
The National Cyber and Encryption Agency (BSSN) recorded 475 million cyberattacks in Indonesia in 2020. This number had increased threefold from 2019. Generally, there are three types of cyberattack, which include e-mail phishing, data breaches and web defacement.
In 2020, BSSN recorded 2,549 cases of email phishing with a criminal motive. Moreover, 79,439 accounts were hacked and 9,749 web defacement cases were rec-orded. Besides changing website interfaces, hackers also changed the content.
BSSN head former Lieutenant General Hinsa Siburian said rising cyberattacks and data breaches had to be solved by improving the current cyber infrastructure. In addition, a regulation that focused on personal data pro-tection was needed.
BSSN supports the completion of the personal data pro-tection bill that is currently under discussion in the House.
“Conceptually, data exchange is inevitable. What we should emphasize is consent from data owners approving data exchange. We hope the bill can provide the necessary framework for regulating the flow of data. Hopefully, the bill can help build a credible and secure ecosystem for information exchange,” Hinsa said.
Some institutions are serious about address-ing this matter, but others have not met the required cybersecurity standard defined in ISO 27001.
So far, there has been wide variation in the readiness of public agencies and private enterprises to protect personal data. Some institutions are serious about address-ing this matter, but others have not met the required cybersecurity standard defined in ISO 27001. This issue could be solved through regulation and law enforcement.
Binder Dijker Otte (BDO) Indonesia cybersecurity director M Novel Ariyadi said that in the European Union’s General Data Protection Regulation (GDPR), which was used as benchmark by the House and government in drafting the personal data protection bill, it was stipulated that every electronic system provider must have a data protection officer. The officer is responsible for users’ personal data protection.
Data protection officers are crucial for protecting users’ personal data. So far, Novel added, many companies were still not employing data protection officers be-cause of a limitation in available human resources.
House Commission I member Christina Aryani said the personal data protection bill would require all electronic system providers to employ data protection officers. Companies and agencies that did not prepare any data protection measures would be sanctioned.
Nevertheless, the data protection officer requirement is still being discussed by Commission I members. For instance, micro, small, and medium enterprises (MSMEs) should be exempted from data protection officer requirement due to cost concerns.
Waiting for Priority Prolegnas
House Commission I chair Abdul Kharis Almasyahri said the discussion of the personal data protection bill was awaiting the confirmation of the 2021 Priority National Legislation Program (Prolegnas). Abdul emphasized that the bill had become a priority for House members because of the growing importance of data protection.
Communications and Information Ministry director general of information applications Samuel Abrijani Pangerapan hoped the bill would be passed this year. “We want to discuss it as soon as possible. Nevertheless, there has been no information on the meeting schedule. The government cannot force discussion [of the bill]. We are still waiting for the meeting schedule from the House of Representatives,” Samuel said.
Samuel also emphasized that personal data protection was the government’s main priority. The personal data protection bill has been drafted to protect citizens and their personal data. The bill also regulates the rights and responsibilities of data managers. The bill specifies types of personal data that are protected by the government, including specific data that requires special protections.