On May 12, an online hacking forum user started offering data allegedly belonging to national health insurance (JKN) policyholders both dead and alive in exchange for two Bitcoins, roughly equal to Rp 1 billion (US$69,661), causing outrage about a lack of data security and privacy.

Three times more data was leaked when compared with the 2019 hacking of local e-commerce platform Tokopedia, although the Communications and Information Ministry insisted in an ongoing investigation that only 100,000 entries out of 1 million checked were valid so far.

Law enforcement and the cybersecurity body, the National Cyber and Encryption Agency (BSSN), was pulled into the fray, while the Health Care and Social Security Agency (BPJS Kesehatan), which manages the JKN, scrambled to find the leak and coordinate efforts with other authorities.

In the previous data breach, registered emails, names and encrypted passwords were leaked, but the current incident exposes full names, ID card numbers, email addresses, phone numbers, dates and places of birth and even salary details – putting practically everyone at risk of identity theft.

The way this disaster is handled will have far-reaching consequences for contemporary civic life, especially with the administration of President Joko “Jokowi” Widodo looking to lead the country through the digital transformation.

It is important to underline the scale of this undertaking, and the potential failings that, if left unaddressed, will prevent Indonesia from enjoying a world-class digital ecosystem and data privacy rights.

For one, the hacking incidents and the similarities between responses a year apart serve to spotlight the inability of the public sector to mitigate cybersecurity threats.

Experts have called for the BSSN to investigate whether BPJS Kesehatan had updated its data security to adhere to international standards under ISO 27001 on information security management, a regulation issued last year that would have protected it from most hacking attempts.

Beyond that, the government seems to be wavering in its commitment to relying on the cybersecurity authority.

A presidential regulation signed in April effectively removed the BSSN’s responsibility to coordinate national cybersecurity issues, about a year-and-a-half after the House of Representatives dropped a cybersecurity bill that would have given the agency extraordinary censorship powers. The regulation also leaves uncertainty regarding who should take over the responsibility to coordinate.

Experts say the leak should give House lawmakers a reason to stop dragging their feet on the deliberation of the personal data protection (PDP) bill. Without a law in place, Indonesians lack privacy rights, as most mitigating factors are left without a clear definition.

The data breach also overshadows plans to consolidate state censorship powers stipulated in Government Regulation No. 71/2019 on the implementation of electronic systems and transactions, which gives the communications ministry authority to enforce mandatory registration and to moderate the content of electronic service providers (ESPs).

The BSSN in particular has called for collaboration as a means to effectively combat cybersecurity threats. With its work cut out for it, maybe it is time the government looked further afield to include privacy rights advocates to ensure it gets the job done on the first attempt.

Popular

To my horror, it’s just a movie!

RI, Australia strengthen partnership on taxing crypto assets

Pentagon chief congratulates Prabowo on being elected President