The Jakarta Post
Homegrown e-commerce platform Bukapalak has denied reports that the data of millions of its users were compromised and sold on the dark web, only days after e-commerce unicorn Tokopedia was reported to have faced an internal system breach.
The personal data of around 13 million Bukalapak users, including usernames, email addresses and encrypted passwords, are being sold for an undisclosed price on data-exchange platform RaidForum.
“After an internal investigation, we found that the reports currently circulating were sourced from a data breach attempt last year. There have been no new incidents,” Bukalapak corporate communication head Intan Wibisono told The Jakarta Post on Wednesday.
She said the company monitored and recorded the people who accessed, read, replaced, or deleted its data. Bukalapak stores sensitive data, such as citizen ID cards (KTP), in a special form of storage in which data is automatically deleted to protect the users’ privacy, she added.
RaidForum account STARTEXMISLEAD claimed to be selling Bukalapak user data. The account posted a thread on the evening of May 4. Another account, AsianBoy, claimed to be selling the data of 12.9 million Bukalapak users dated 2017. The account was only created in April this year.
“We can assure our user that their data is kept safe,” said Bukalapak CEO Rachmat Kaimuddin in a written statement on Wednesday.
He went on to say that the user data was protected with a multi-layer protection system and that the company had improved its security measures after an attempted breach last year.
“We found and stopped the culprit of last year's data breach attempt,” Rachmat said. “We would also like to remind our users to take preventive measures such as changing their passwords periodically and enabling two-step verification.”
The company reported that it has around 50 million users and 40 million merchants with 131 million average monthly visitors as of 2019.
Tokopedia’s internal database was breached by an as-yet unidentified party, resulting in a massive data leak that affected around 15 million of its users, according to a recent report by cybersecurity research collective Under the Breach.
A report titled The Hacker-Powered Security Report 2019 published by bug bounty platform HackerOne revealed that data leaks among retail and e-commerce platforms occurred more frequently than was recognized as more than two-thirds of all retailers considered cybercrime a top security issue.
The retail and e-commerce sector has reported that information disclosures made up 21 percent of all reported vulnerabilities, as hackers usually targeted financial data such as credit and debit card details as well as supporting personal data like name, age and gender.