The recurrence of data hacking, suspected of being perpetrated by the Bjorka account, is to be deplored. The case is seen as a slap in the face of the government.
JAKARTA, KOMPAS — The hacker using the Bjorka account is suspected of freely hacking netizens’ data in a number of applications managed by public institutions. This indicates the unpreparedness of public institutions in fulfilling obligations as stipulated in the Personal Data Protection Law.
Over the last week, reports about personal-data leakage have again come to the fore. A total of 44.2 million netizens’ data, believed to be managed through the application MyPertamina, were marketed by the Bjorka account on the Breached Forum website at the price of Rp 392 million (US$25,000). Recently, it marketed 3.25 billion data claimed to have come from the application Peduli Lindungi worth $100,000.
In “Indonesia COVID-19 App Peduli Lindungi 3.2 Billion” uploaded on Breached Forum on Tuesday (15/11/2022), Bjorka stated that the data include name, email address, resident’s identification number, telephone number, date of birth, gadget identity, COVID-19 status, checking history, contact-tracing history and vaccination.
Head of the State Cyber and Encryption Agency (BSSN), Hinsa Siburian, when requested to confirm the sale of data by Bjorka through a short message on Wednesday (16/11), asked Kompas to contact the BSSN spokesperson. However, BSSN spokesman Ariandi Putra gave no response to the question sent. Public Information bureau chief of the National Police Public Relations Division, Brig. Gen. Ahmad Ramadhan, made no response either when asked about the alleged hacking by the Bjorka account.
Previously, the Communications and Information Ministry’s Director General of Informatic Applications, Semuel Abrijani Pangerapan, did not answer the question about the alleged hacking either. Semuel diverted the question to the Health Ministry as the regulator of the application Peduli Lindungi.
BSSN spokesman Ariandi Putra gave no response to the question sent.
Meanwhile, Setiaji, chief of the Digital Transformation Office (DTO) of the Health Ministry, along with the ministry’s health-technology expert staffer, as of Wednesday, had not yet responded when asked to confirm the alleged hacking.
House of Representatives Commission I member Dave Laksono warned that there should be a process capable of identifying the data leaked by the hacker and the source of the data. All relevant parties are expected to avoid shirking responsibilities.
A slap for the government
Chairman of the Communications and Information System Security Research Center, Pratama Persadha, regretted the absence of official response from the authorities to the claim of 3.2 billion data from the application Peduli Lindungi offered by Bjorka. In fact, if the leakage has truly occurred, the public is the victim.
In his view, if the leakage of data from the application Peduli Lindungi as claimed by Bjorka has taken place, it constitutes a slap in the government’s face. Furthermore, in September the government already set up the Data Protection Task Force comprising the National Police, the Communication and Information Ministry, the BSSN and the State Intelligence Agency (BIN).
Executive director of the Public Study and Advocacy Institute, Wahyudi Djafar, said the recurrence of the suspected series of data leaks indicated that data regulators, especially those of public institutions, were as yet unprepared to fulfill the obligations as specified in the Personal Data Protection (PDP) Law. The obligation concerns the assurance of processing security, protection of secrecy and notification if any leakage occurs.
Information technology-security practitioner Alfons Tanujaya claimed to have seen and checked samples of data offered. Based on these, he evaluated the data offered by Bjorka as valid. “The leaked personal data can be used to commit cybercrimes such as seeking online loans. Yet it seems public or government institutions have never learned of this issue,” he said.
Separately, forensic digital-expert Ruby Alamsyah described the claim of data that were offered by Bjorka as uncommon. Nevertheless, with the endorsement of the PDP Law, the government has become the institution authorized to announce the truth or falsehood of the data leakage and the party responsible for it.