The series of cyberattacks on state institutions, from website defacements to data breaches, happened during the coronavirus pandemic when people relied more on digital technology but without proper regulations protecting their personal data.

One notable incident was detected in May, when an account with the username Kotz on online hacking forum RaidForums claimed to have personal information allegedly belonging to more than 200 million policyholders of the national health insurance (JKN) program, both dead and alive.

Kotz initially provided a link to three separate file-sharing websites on which data on 2 million people could be downloaded as a sample but later deleted the post and denied having offered to sell the data.

The Communications and Information Ministry found indications that the data was identical to that of the JKN's database because it contained personal information such as policy numbers and premium payment statuses. The ministry blocked access to RaidForums after finding that at least 100,000 entries of the data were valid.

The ministry also summoned the board directors of the Health Care and Social Security Agency (BPJS Kesehatan), which manages the JKN program, and ordered it to coordinate its investigation with the ministry and the National Cyber and Encryption Agency (BSSN) and share with them all of its findings.

Read also: Alleged breach of BPJS data points to Indonesia's weak data protection: Experts

It was the second massive breach detected in Indonesia after the personal information of up to 91 million users of Indonesian e-commerce platform Tokopedia was stolen and offered for sale in May 2020.

Experts were quick to call on policymakers to pass the long-awaited data protection bill, which is expected to require any entities processing and managing personal data to protect against illegal use of personal data.

Yet its deliberation has been slow while data breaches continued to happen last year, including one that centered on personal information on the now-defunct electronic Health Alert Card (eHAC) system in August 2021.

Read also: Police ends probe into alleged eHAC data leak

This incident jeopardized around 1.3 million eHAC users who had submitted information such as contact details, addresses, national identity (ID) numbers and COVID-19 test results.

An investigation involving the ministry, the BSSN and the National Police was closed after seven days when they found the breaches had happened on an unsecured third-party database and there had been no attempts to hack into the eHAC server. But experts said the investigation ended too soon and without clarity on whether the data had been leaked before encryption provider vpnMentor first reported the issue in late July.

In the insurance sector, data leaks were detected in July when an unnamed user on RaidForums claimed to have 460,000 documents for sale containing the ID card numbers, banking records and tax details of 2 million clients of BRI Life, the insurance arm of state lender Bank Rakyat Indonesia (BRI).

Read also: Hit by multiple cyberattacks, government languishes from 'low awareness' of data security

Another cyberattack occurred in mid-October 2021 when the Indonesian Child Protection Commission's (KPAI) database containing the personal information of people who filed reports on alleged child abuse cases was hacked, putting child victims of abuse at risk. Sensitive information of children and their guardians was put up for sale by an account with the username C77 on RaidForum.

An investigation into the incident was immediately launched by the information ministry, which also involved the BSSN and the police cybercrime directorate.

But a week later, a website hosted by the BSSN that was supposed to detect and prevent cyberattacks was defaced by an alleged Brazilian hacker named SonIx. Experts said although the attack on the BSSN had been relatively mild, it raised questions on the agency's security.

In a different incident in November 2021, a Twitter account with the username @son1x777 claimed to have hacked into the police's system and stolen the personal data of thousands of police officers, from their dates of birth, work unit and ethnicity to their badge numbers.

Critics say the repeated cyberattacks on state agencies indicate that the government has a weak awareness of data security and has no certain steps to improve it.

Institute for Policy Research and Advocacy (Elsam) executive director Wahyudi Djafar, who has been advocating personal data protection laws for years, said authorities "had failed to investigate each incident thoroughly to identify the causes and vulnerabilities of the compromised databases".

This, he said, also underscored the need to pass the data protection bill, which is expected to provide guidelines for law enforcement agencies to impose stern penalties against the illegal use of personal data.

The bill, drafted and proposed by the government in 2014, has been listed as a priority this year, but its deliberation has been slow and delayed several times. This has cast doubt among experts and the public on how serious policymakers are about protecting digital privacy.

In September 2021, not long after the alleged eHAC data breach stirred public concern, House of Representatives Speaker Puan Maharani reaffirmed lawmakers’ commitment to passing the bill.

Yet deliberations failed to make any significant progress up to the end of the House's last sitting session on Dec. 16, 2021.

The government and lawmakers are still divided over the design of a data protection agency. The government wants the agency to be placed under the information ministry, while lawmakers insist on an independent data protection authority to prevent any possible conflicts of interest.