TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Analysis: BSI at risk of lawsuit after its data breach by hackers
Change text size
Gift Premium Articles
to Anyone
Share the best of The Jakarta Post with friends, family, or colleagues. As a subscriber, you can gift 3 to 5 articles each month that anyone can read—no subscription needed!
President Director of Bank Syariah Indonesia Hery Gunardi (three from left) accompanied by Director of Sales & Distribution of BSI Anton Sukarna (left) and SEVP Digital Banking BSI Saut Parulian Saragih (two left) handed over the main prize of the BSI Mobile 2022 Rain of Fortune Program to Ridwan Maulana Putra (right) ) as the Main Winner during the award at Wisma Mandiri, Jakarta, Monday, 05/15/2023. PT Bank Syariah Indonesia Tbk (BSI) gave the main prize 1 unit of Mini Cooper Country Man car in the BSI Fortune Rain event for the period August 2022 - March 2023. This is a form of appreciation for loyal customers using BSI Mobile. (Courtesy of BSI)
B
ank Syariah Indonesia (BSI), a subsidiary of banking state-owned enterprise (SOE) Bank Mandiri, was a victim of extortion, by criminal hacker group LockBit, of data that allegedly belonged to the sharia banking SOE, including employee data, records of about 15 million of its customers and 1.5 terabytes (TB) of internal data. The data breach created by the hacker group after BSI did not cede to LockBit’s demanded ransom over said data could make the bank liable for lawsuits.
The alleged data breach first surfaced on May 11 when BSI CEO Hery Gunardi told a press briefing the bank had found indications of a cyberattack that caused disruptions to the sharia banking SOE’s services from May 8, including its mobile banking, automated teller machines (ATMs) and branch offices. But all of BSI’s services were recovered as of May 11, and he assured BSI clients their funds and data remained safe.
Dark Tracer, an intelligence platform that monitors malicious activities in cyberspace, revealed the data breach on Twitter on May 13. LockBit used the LockBit 3.0 ransomware that blocks user access to computer systems to obtain the alleged BSI data, which included contact details, financial documents, card details and passwords. The hacker group demanded the bank management contact them to negotiate before 4:09 a.m. on May 16; otherwise, they would release all the data on the dark web.
Dark Tracer also posted a screenshot on Twitter of chat logs allegedly related to a negotiation between LockBit and BSI in which the group demanded a ransom of US$20 million. After the negotiation collapsed, LockBit proceeded to publish some samples of the data they claimed to have stolen from BSI on the dark web on May 16 while keeping those the criminal hacker group judged to be the most interesting for further “exploitation”.
A probable factor contributing to LockBit and BSI failing to achieve an agreement in the alleged negotiation is the fact there was no guarantee the criminal hacker group would honor the agreement and refrain from leaking the data on the dark web nevertheless. Either way, the sharia banking SOE must contend with the fact that a criminal group has irreversible access to sensitive data. Moreover, the leaked data means BSI clients are under greater threat from cyberattacks and scams.
The data breach made BSI potentially liable for a lawsuit by violating Law No. 27/2022 on Personal Data Protection. Although BSI could avoid paying a potential administrative fine stipulated by the regulation at 2 percent of firms’ annual revenue due to the law’s two-year grace period, as stipulated by Article 70 of Law No. 27/2022, it could still be forced to pay up to 10 times the fines charged for the criminal offense for failing to protect its clients’ data.
What’s more
