JAKARTA, KOMPAS - This past week has seen repeated allegations of breaches of personal data belonging to several high-ranking state officials and the public. This incident has sounded the alarm over Indonesia’s cyber sovereignty.
In the online forum Breached.to, an account known as “Bjorka” traded the data of 1.3 billion SIM card registrations, which they claimed were obtained from all telecommunication operators at the end of last August. Six days later, the same account traded the data of 105 million Indonesian citizens, which they also claimed were obtained from the General Elections Commission’s (KPU) official website.
That is not all. Bjorka again sold records of incoming and outgoing correspondence documents sent to President Jokowi, including letters from the State Intelligence Agency (BIN), which were labeled as classified. The hacker then also uploaded the personal data of Communications and Informatics Minister Johnny G. Plate, House of Representatives Speaker Puan Maharani and State-Owned Enterprises Minister Erick Thohir. The uploading of these state officials’ data was accompanied by messages expressing certain intentions. Via social media, Bjorka also claimed that they would expose the murder of human rights activist Munir and the Mypertamina application data bank owned by state-owned oil-and-gas firm Pertamina.
Also read:
> CYBER CRIME Cyber Agency Hacking Erodes Public Trust
> Agency Data Vulnerable to Hacking
When asked about the alleged hacking on Saturday (10/9/2022), Presidential Secretariat head Heru Budi Hartono emphasized that no important data from the State Palace were leaked online. “No data have been hacked. We have other and different means of [storing] important letters,” he said.
Because hacking attempts are a violation of the law, Heru added, this will be handled by law enforcement.
Digital-forensic expert Ruby Alamsyah, when contacted from Jakarta on Sunday (11/9) said that Bjorka’s continuous data breaches have exacerbated the emergency situation of Indonesia’s cyber sovereignty. This recent incident has been added to a long list of data breaches that have occurred since 2019.
“In the last three years, there has been an increasing trend of data breaches, both in terms of quantity and quality of data. This means that the data that was stolen and sold by certain parties is getting more interesting and more confidential in nature,” he said.
According to Ruby, Bjorka’s maneuver was due to the country’s inability to mitigate the risk of data breaches. Instead of investigating these cases, the relevant authorities too often issue vague statements and shift the blame onto someone else. Several agencies named by hackers have also denied any data breaches.
A lecturer in political communication at Syarif Hidayatullah State Islamic University, Gun Gun Heryanto, added that the government cannot downplay personal data breaches by constantly denying it. Such disclaimers will not solve the problem and can actually encourage hackers to compete in leaking data.
He said a fundamental investigation was needed to identify the root cause of why data breaches continue to occur. The results of such an investigation must also be acknowledged by the government and then followed up by evaluating the relevant officials.
Regulations concerning the protection of personal data have become increasingly urgent to realize.
“What Bjorka has done should be a slap in the face for the government’s authority. Regulations concerning the protection of personal data have become increasingly urgent to realize,” he said.
Kompas has contacted Communication and Informatics Minister Johnny G Plate concerning Bjorka’s alleged data breach and the government’s response to it. However, the minister has yet to respond as of Sunday evening.
Data from the State Palace
Data that Bjorka claims belongs to President Jokowi, which is 40 megabytes, is being offered for 8 credits, or Rp 32,000 (US$2.16). The hacker guaranteed that the contents of the document includes the letter’s title, number and date as well as the identity of the sender and the employee who received it.
Cybersecurity and digital-forensics observer from Vaksincom, Alfons Tanujaya, said that he downloaded the data sold on Breached.to but found that its contents were not as promised. The contents of the document only included records of incoming and outgoing letters from the State Secretariat. He suspected that the document, in the form of a 600-column table containing only entry and exit records, was authentic. There were also letters from BIN. However, the contents of such letters were not being illegally sold.
“There’s a lot of misperceptions. People think that [the leaked data] contains classified letters. I’ve downloaded the file and it’s something like a guest book from the State Secretariat. We don’t know what level of classification [the file] is and whether we’re allowed to see it or not,” said Alfons.
Also read:
> Audit and Strengthen Cybersecurity
> Hackers Forge Contact-Tracing App
Meanwhile, National Cyber and Cryptio Agency (BSSN) spokesperson Ariandi Putra said that his party had investigated the alleged data breach that occurred while coordinating with electronic system operators (PSE), their data of which were also allegedly leaked, including those within the State Secretariat.
BSSN has also taken mitigation measures to strengthen cybersecurity systems to prevent greater risks in several PSEs. “BSSN coordinates with law enforcers, including Bareskrim [National Police's Criminal Investigation Department] cybercrime director, to take law enforcement action,” Ariandi said in a written statement on Saturday.
BSSN also emphasized that cybersecurity is a shared responsibility. For this reason, BSSN provides technical support and asks PSEs to ensure the security of electronic systems in its environment.
This article was translated by Kesya Adhalia.