The government should be able to anticipate recurring breaches with the current equipment it had. However, cyber resilience was virtually lacking in all state ministries and agencies.
By
KURNIA YUNITA RAHAYU
·6 minutes read
JAKARTA, KOMPAS – The data protection taskforce, made up of intergovernmental institutions, should not only investigate data breaches conducted by the mysterious Bjorka hacker. As breaches of personal data have continued to grow since the first such incidence in 2019, the task force should also thoroughly investigate the latest case so it does not cause further harm to the public.
In 2019, according to the results of the Kompas investigation, the personal data of more than 100,000 individuals were circulated among marketing personnel. In the following years, data breaches affected 297 million members of the BPJS Kesehatan universal health insurance. After that, the public was again shocked when the data of around 26 million customers of cable TV and internet provider IndiHome were sold online. Most recently, a hacker named Bjorka claimed to have obtained personal data linked to around 1.3 billion registered SIM cards in Indonesia.
The number of individuals whose personal data have been stolen from various government and private institutions is countless. Surfshark’s report on global data breach statistics for the third quarter of 2022 has ranked Indonesia third among countries with the highest number of data breaches with 12.7 million incidences, after Russia and France.
Digital forensics expert Ruby Alamsyah expressed in Jakarta on Wednesday (14/9/2022) his regret that the government had formed an intergovernmental task force to investigate only the data breach involving Bjorka. A more thorough investigation was needed, as a countless number of individuals had their personal data breached in the past few years. In addition, the data that had been leaked were comprehensive, because they concerned users’ personal identities.
"The data protection task force should investigate breaches of people’s personal data that has been occurring for a long time, and not just focus on data involving state secrets and the personal data of certain officials," said Ruby.
The data protection task force should investigate breaches of people’s personal data that has been occurring for a long time.
Coordinating Political, Legal and Security Affairs Minister Mahfud M.D. announced the establishment of the data protection task force on Wednesday (14/9) after a closed-door meeting with Communications and Information Minister Johnny G. Plate, State Intelligence Agency (BIN) head Budi Gunawan, National Cyber and Encryption Agency (BSSN) head Hinsa Siburian, and National Police chief Gen. Listyo Sigit Prabowo. The meeting was held as a follow-up to deal with the data breach allegedly linked to the account of a hacker using the name Bjorka.
Since the end of August, Bjorka has sold data stolen from SIM cards registered in Indonesia and the website of the General Elections Commission (KPU). In addition, the hacker has also sold the President's correspondence and the personal data of a number of state officials.
Serious handling
Mahfud explained that the government was serious about handling the case. The National Police and BIN had discovered Bjorka's identity and location, but had not yet announced these publicly.
The public has been urged to stay calm, as the data Bjorka had hacked were not sensitive. According to the results of the probe into their identity, Bjorka was not a highly sophisticated hacker. The hacker also did not appear to have harmful intentions as regards politics, economics, or commercial gain.
"The meeting concluded that Bjorka did not have high breaching capabilities. They just wanted to show that, according to our view, we must be aware that we can be hacked. But not now," said Mahfud.
Mahfud added that the government had decided to form a data protection task force as part of its anticipatory measures. However, the data breach was a reminder for the country to build a more sophisticated cybersecurity system. He did not provide any details about the new task force.
In addition to following up on data leaks, the task force’s establishment is among the points stipulated in the Personal Data Protection Bill (RUU PDP). The plan is for the bill, which the government and the House of Representatives (DPR) have discussed for two years, to be ratified soon at a DPR plenary session. The government will then enact it immediately within the following month. The Personal Data Protection Bill “contains directives on the establishment of the cybersecurity team", Mahfud said.
Ruby added that his office had proposed that the task force conduct a comprehensive investigation into the massive breaches of people’s personal data that had occurred since 2019. The results of the investigation would identify the agencies and vulnerabilities that allowed the breaches to occur. Armed with the results of the investigation, the relevant agencies could also follow up with a number of processes.
Apology
These follow-up processes should include announcing what data elements had been leaked. After the announcement, the agencies involved must also issue an apology to all affected communities. Finally, an awareness campaign should be held to inform people on the risks that could arise if their personal data were stolen.
"By carrying out the post-leak process, the public will be calmer and ready to mitigate any risks that may arise," said Ruby.
Sukamta, a member of DPR Commission I from the Prosperous Justice Party (PKS) faction, said he had not received any information regarding the government’s establishment of the data protection task force. As for the Personal Data Protection Bill, the government was mandated to form an institution with the authority to protect personal data. One of the duties of this institution was to supervise data managers and processors.
According to Sukamta, the government should be able to anticipate recurring breaches with the current equipment it had. However, cyber resilience was virtually lacking in all state ministries and agencies. For this reason, it was important to immediately conduct an audit of cybersecurity systems on all agencies that managed people's personal data, which should be carried out by professional auditors.
“This audit is to discover the strengths and weaknesses of the data management system, hardware, software, and brainware. From this, the map of the problem will be clear," he said.
Meanwhile, communication minister Johnny G. Plate said that cyberattacks and data breaches did not only target government agencies, but also frequently occurred with private electronic system operators (ESOs).
Therefore, as entities that also stored and managed people’s personal data, he called on all private ESOs to ensure that their respective data systems were secure. This was not merely an appeal, but also the obligation of every PSE.
This article was translated by Hendarsyah Tarmizi.