Ministry of Home Affairs Investigating Alleged Leakage of 337 Million Dukcapil Data

The alleged leak of population data was initially revealed by the founder of Ethical Hacker Indonesia, Teguh Aprianto, on his Twitter social media account @secgron, Sunday (16/7/2023) evening. He wrote a tweet accompanied by a screenshot about the sale of data by the anonymous account "RRR" on breachforums on July 14. The account sells 337,225,465 data said to come from the dukcapil server.kemendagri.go.id.

Teguh Aprianto mentioned that the confirmed leaked data includes names, identification numbers (NIK), family card numbers (KK), date of birth, address, father's name and NIK, mother's name and NIK, and birth or marriage certificate numbers.

Analysis of the data field sold by the account "RRR" tends to lead to population data managed by the Ministry of Home Affairs. Some of the data elements are related to the issuance of electronic identity cards (e-KTP).

In response to the alleged data breach, Director General of Population and Civil Registration (Dukcapil) at the Ministry of Home Affairs (Kemendagri), Teguh Setyabudi, emphasised that his team has taken action to follow up on the alleged population data leak that was sold on the online marketplace. A thorough audit investigation and preventive mitigation measures have been conducted since Sunday (16/7/2023) in conjunction with the National Cyber and Encryption Agency (BSSN) and other stakeholders.

"So far no traces of data leakage have been found in the centralized online Population Administration Information System (SIAK) which is currently being run by the Directorate General of Dukcapil of the Ministry of Home Affairs," said Teguh Setyabudi, in Jakarta, Monday (17/7/2023) .

According to him, the data found in breachforums is not in the same format as the data in the database owned by the Directorate General of Population and Civil Registration (Ditjen Dukcapil). Nevertheless, the process of auditing and investigation is still ongoing to further investigate the alleged data leak, including the database in the regencies/cities. "This step is also a form of preventive mitigation to prevent data leaks in the future," he said.

KTP-el data

However, according to Pratama Persadha's Head of the Communication and Information System Security Research (CISSReC), analysis of the data fields sold by the "RRR" account tends to lead to population data managed by the Ministry of Home Affairs. A number of data are data elements related to the issuance of an electronic identity card (KTP-el).

Moreover, according to Pratama, there are several data that are very dangerous for the affected community due to the leakage. One of which is the full name data of the biological mother which is usually used as data verification in various banking transactions. "Imagine how dangerous it is for the biological mother's name data if it falls into the hands of individuals who will engage in criminal and fraudulent activities, especially if the data is combined with other leaked data, which can obtain a complete data profile of potential fraud victims," he explained.

Member of Commission I DPR, Dave Akbarshah Fikarno, asked the government to immediately check the validity of the personal data being sold. This is important to ensure the correctness of the data being sold is it current or outdated.

Furthermore, Dave requested the government to create a clear blueprint that should be implemented in all government and private agencies that hold personal data in order to truly protect personal data. In addition, the government must develop a long-term plan for data security development, such as completing the Cyber Sovereignty Act and strengthening digital infrastructure and intrastructures.

"It would be better for the government to immediately form an institution for the protection of personal data, but the authority and capabilities of the institution must also be clear in order to function optimally," he said.

The existence of a personal data protection agency is urgent due to ongoing leaks of public data. Previously, in May, data amounting to 1.5 terabytes, including nine databases containing personal information of over 15 million customers and employees of BSI, was suspected to have leaked.