The alleged data breach first surfaced on May 11 when BSI CEO Hery Gunardi told a press briefing the bank had found indications of a cyberattack that caused disruptions to the sharia banking SOE’s services from May 8, including its mobile banking, automated teller machines (ATMs) and branch offices. But all of BSI’s services were recovered as of May 11, and he assured BSI clients their funds and data remained safe.

Dark Tracer, an intelligence platform that monitors malicious activities in cyberspace, revealed the data breach on Twitter on May 13. LockBit used the LockBit 3.0 ransomware that blocks user access to computer systems to obtain the alleged BSI data, which included contact details, financial documents, card details and passwords. The hacker group demanded the bank management contact them to negotiate before 4:09 a.m. on May 16; otherwise, they would release all the data on the dark web.

Dark Tracer also posted a screenshot on Twitter of chat logs allegedly related to a negotiation between LockBit and BSI in which the group demanded a ransom of US$20 million. After the negotiation collapsed, LockBit proceeded to publish some samples of the data they claimed to have stolen from BSI on the dark web on May 16 while keeping those the criminal hacker group judged to be the most interesting for further “exploitation”.

A probable factor contributing to LockBit and BSI failing to achieve an agreement in the alleged negotiation is the fact there was no guarantee the criminal hacker group would honor the agreement and refrain from leaking the data on the dark web nevertheless. Either way, the sharia banking SOE must contend with the fact that a criminal group has irreversible access to sensitive data. Moreover, the leaked data means BSI clients are under greater threat from cyberattacks and scams.

The data breach made BSI potentially liable for a lawsuit by violating Law No. 27/2022 on Personal Data Protection. Although BSI could avoid paying a potential administrative fine stipulated by the regulation at 2 percent of firms’ annual revenue due to the law’s two-year grace period, as stipulated by Article 70 of Law No. 27/2022, it could still be forced to pay up to 10 times the fines charged for the criminal offense for failing to protect its clients’ data.

Viewpoint

Every Thursday

Whether you're looking to broaden your horizons or stay informed on the latest developments, "Viewpoint" is the perfect source for anyone seeking to engage with the issues that matter most.

View More Newsletter

By registering, you agree with The Jakarta Post's Privacy Policy

Sign Up

Thank You

for signing up our newsletter!

Please check your email for your newsletter subscription.

View More Newsletter

What’s more

BSI’s business initiatives could be at risk due to the data breach. It previously had established a representative office in Dubai to attract United Arab Emirates (UAE) investors, serve Indonesians working and traveling to the Middle East and take advantage of the strong bilateral trade relationship between the UAE and Indonesia. The effort to attract global investors could be hurt by the data breach.

BSI’s server trouble, caused by the data breach, particularly affected the province of Aceh. It the only other bank alongside Bank Aceh Syariah, the special autonomous province’s regional development bank (BPD), that was allowed to operate in the province by Qanun No. 11/2018 on Sharia Financial Institutions. The trouble thus prompted the People's Representative Council of Aceh (DPRA) to plan for a revision of the local regulation that will allow conventional banks to operate in Aceh.

What we’ve heard

Several sources in the State-Owned Enterprises (SOE) Ministry revealed that the management of BSI has known from the beginning that their IT system was compromised by a hacker. However, they intentionally kept the hacking incidents secret.

BSI is concerned that information about the hacking will affect BSI's valuation. Currently, BSI is still exploring the possibility of cooperation with investors from the United Arab Emirates. There are three investors being approached, and they are said to become the new shareholders of BSI after BNI and BRI withdraw from BSI. That's why the management of BSI has been trying to limit the discussion to just ongoing modifications and upgrades in their IT system.

To identify the source of the leak and the validity of the leaked data, the internal audit team of BSI has requested assistance from the IT team of the Financial Services Authority (OJK) and other state-owned banks to conduct digital forensic audits.

Sources in the government reveal that the leakage of customer data is suspected to be from one of BSI employees' computers. It is suspected that an employee's computer accessed the BSI intranet from outside the office and did not log out properly.

Disclaimer

This content is provided by Tenggara Strategics in collaboration with The Jakarta Post to serve the latest comprehensive and reliable analysis on Indonesia’s political and business landscape. Access the latest edition of Tenggara Backgrounder to read the articles listed below:

Politics

1. TNI law revisions feared to revive military dual role
2. Searching for running mates for Prabowo, Ganjar and Anies
3. Legislative race to feature mixed bag of candidates
4. Indonesia under pressure to bring peace in Myanmar             

Business and Economy

1. Pertamina teams up with Petronas to acquire Shell's stake in Masela
2. GoTo's admission to MSCI index allows respite for falling stock
3. Foreign debt contracts in Q1 2023 as USD dips

Popular

Policymakers to rethink single-day general election format

Authorities raises Halmahera volcano alert level to highest

Indosat showcasing Indonesia's Digital Literacy Initiative at the Global DTC Workshop