Similar cases from the last two years include the alleged leaking of personal data held by Tokopedia, Bhinneka.com, Kreditplus, RedDoorz and the General Elections Commission.
By
IQBAL BASYARI / MEDIANA / RINI KUSTIASIH
·4 minutes read
JAKARTA, KOMPAS — Samples of personal data sold by an account called Kotz on a hackers’ forum called Raids Forum are strongly believed to be identical with personal data held by the Social Security Management Agency (BPJS) or the Health Care and Social Security Agency (BPJS Kesehatan). Kotz claimed that the data was a sample of much more data it had on Indonesia\'s population of 279 million.
This is far from the first leakage of personal data from Indonesia. Similar cases from the last two years include the alleged leaking of personal data held by Tokopedia, Bhinneka.com, Kreditplus, RedDoorz and the General Elections Commission.
To prevent future leakage of personal data, the government needs to mandate regular system testing and cybercrime attack simulations for systems in government institutions. The Personal Data Protection Bill (RUU PDP) currently being discussed also needs to be passed to strengthen the security of citizens\' personal data. This is because the leaked personal data can be used for crimes.
Communications and Information Minister Johnny G Plate told Kompas on Friday (21/5/2021) that his party had been investigating samples of personal data circulating since Thursday (20/5) on Raids Forum. From the investigation, it was found that the data samples found did not amount to 1 million as claimed by the seller, Kotz, but only 100,002 personal data.
In addition, it was also found that the data samples were strongly believed to be identical with the personal data managed by BPJS Kesehatan. This was based on card number data, office codes, family data/dependency data and payment status, which are identical to data of BPJS Kesehatan.
In connection with this, the Communications and Information Ministry (Kemenkominfo) had summoned the board of directors of BPJS Kesehatan on Friday for further investigation. Three conclusions emerged from that meeting. First, the BPJS will immediately check the personal data suspected to have been leaked. Second, the investigation will be carried out by an internal BPJS team and will always be coordinated with the Communications and Information Ministry and the National Cyber and Encryption Agency (BSSN).
"Third, data security measures will be taken by the BPJS to mitigate the risk of wider personal data leakage," added Johnny.
Apart from that, the Communications and Information Ministry has filed a termination of access to the three links that spread the personal data. Two links have been terminated, while the termination of the third is still in progress.
Separately, BPJS Kesehatan president director Ali Gufron Mukti said his side was working hard to get certainty and do everything necessary related to the investigations.
Crimes
The chairman of the Communication and Information System Security Research Center, Pratama Persadha, said the leaked personal data could be used by criminals to carry out social engineering attacks or phishing, namely tricking netizens to obtain email account or social media information, among other purposes.
Due to the great danger of personal data leakage, Pratama urged the government to require system testing and penetration tests, or cyberattack simulations, on a regular basis throughout the systems of government institutions. To do this, government agencies should cooperate with the BSSN to conduct digital forensic audits, so that flaws in cybersecurity can be identified.Meanwhile, the executive director of the Institute for Community Studies and Advocacy, Wahyudi Djafar, noted the importance of the government and the House of Representatives (DPR) to immediately pass the PDP bill that is still being discussed by the DPR and the government.
This applies to the public sector, including ministries and agencies, and to the private sector.
The absence of a personal data protection law, according to Wahyudi, has raised a number of problems in data protection governance. This applies to the public sector, including ministries and agencies, and to the private sector.
The chairman of the PDP bill working committee, Abdul Kharis Almasyhari, realized the urgency of the ratification of the PDP bill. However, the deliberation of the draft still could not continue, because it had to wait for the decision to extend the discussion from the DPR deliberation body.
The director of the Indonesian Parliamentary Center, Ahmad Hanafi, said the recurring leakage of personal data should be a strong reason to immediately ratify the PDP bill. This data leakage should not be underestimated, because it could disrupt the stability of the country.
"The DPR deliberation body must immediately determine the extension of the discussion on the PDP bill," said Hanafi.