The move comes after a seven-day investigation involving the National Cyber and Encryption Agency (BSSN), the National Police and the Health Ministry into the vpnMentor report initially submitted to the ministry on July 21. The alleged data leak is thought to have compromised the personal data of around 1.3 million eHAC users, including their contact details and national identity (ID) cards.

Health Ministry’s eHAC is a mandatory requirement for both domestic and international travelers so the government can keep track of COVID-19 cases across the country.

“Following the probe by the National Police at the Health Ministry and its partners, [we] did not detect any attempts to retrieve the data stored on the eHAC server,” National Police spokesman Insp. Gen. Argo Yuwono said on Tuesday, as quoted by antaranews.com.

Argo also confirmed that the police had dropped their investigation into the alleged data leak.

Anas Ma’ruf, who heads the Health Ministry’s Data and Information Center, stressed that the eHAC database, which was now linked to official COVID-19 tracking app PeduliLindungi, was adequately protected. He added that the findings of the investigation provided reassurances that the database was secured against potential leaks and breaches.

Read also: Cyber-attack haunts Indonesia's COVID-19 strategy

However, experts have urged caution in light of the government’s move to wrap up the probe quickly, arguing that it remained unclear whether eHAC data had been leaked prior to vpnMentor’s reporting the issue.

“It’s too premature to conclude if there was a data leak or if any crimes were committed [using the leaked data],” Wahyudi Djafar, executive director at the Institute for Policy Research and Advocacy (ELSAM), said on Thursday.

He said that any investigation of a reported data leak must be handled by the appropriate data protection authorities to uncover the cause of the alleged leak first, before the police launched their own investigation into potential crimes resulting from the leaked data.

Drone Emprit cofounder and cyber activist Ismail Fahmi echoed Wahyudi’s view that the policy had ended their investigation prematurely.

“What the police are claiming is only from what they know, but the situation is [that] the eHAC database has been vulnerable to a leak since July 15 or even longer before [then],” Ismail said on Thursday. “The real question is whether a hacker actually got ahold of the data before [vpnMentor reported it].”

Even if the data leak was confirmed, he continued, it would be impossible to hold the perpetrators to account because the country did not have a regulation on data protection.

Read also: Indonesian's data 'just sitting there', hackers say

The proposed establishment of a data protection agency is a major sticking point in the deliberation of the long-awaited data protection bill, with the government and lawmakers still unable to resolve their differences over the agency’s structural position.

The government has proposed that the agency be placed under the Communications and Information Ministry, while lawmakers have insisted on the agency’s independence to avoid any potential conflicts of interest.

After news emerged last week on the alleged data leak, House of Representatives Speaker Puan Maharani reaffirmed lawmakers’ commitment to finalizing the data protection bill. She also called on the government to show its “seriousness” in deliberating the bill.