With the campaign season now in full swing, the public was shocked when news broke that pseudonymous hacker Jimbo claimed to have breached the KPU voter roll database and later put the stolen data up for sale on the hacking site BreachForums earlier this week. The alleged breach came only some two months before 204 million Indonesians cast their ballots in the February presidential and legislative elections and while the poll body is preparing its logistics for the elections. The data included voter ID card details and family card numbers.

The commission is still investigating whether the hacker managed to breach its voter roll database, called SIDALIH. But it also alluded to the fact that the breach could have happened from other parties given that the Elections Supervisory Agency (Bawaslu), political parties and candidates participating in the upcoming election also have softcopies of voter data.

Observers, however, have pinned the blame squarely on the KPU for its lackluster digital security, particularly considering the scale and sensitivity of the voter roll data.

“The KPU, as the data controller, should have been able to strictly implement the principles of integrity and confidentiality, which requires the implementation of a strong security system in the processing of personal data,” said Wahyudi Djafar of rights group the Institute for Policy Research and Advocacy (ELSAM).

ELSAM, which has long been campaigning for data privacy, had warned in July that SIDALIH was particularly prone to breaches because of its scale.

Read also: Voter roll breach claim overshadows election logistics preparations