TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Heads must roll over NDC cyberattack
Several aspects related to the recent cyberattack on an NDC facility raises serious questions about the communications ministry in its capacity as a personal data controller, especially considering that it led the drafting of the Personal Data Protection Law.
Change text size
Gift Premium Articles
to Anyone
Share the best of The Jakarta Post with friends, family, or colleagues. As a subscriber, you can gift 3 to 5 articles each month that anyone can read—no subscription needed!
Communications and Information Minister Budi Arie Setiadi (left) sits next to National Cyber and Encryption Agency (BSSN) head Hinsa Siburian (right) during a meeting about the Brain Cipher ransomware attack on the temporary National Data Center facilities with House of Representatives Commission I overseeing communications and information at the Senayan legislative complex in Jakarta on June 27, 2024. (Antara/Dhemas Reviyanto)
D
uring the House of Representatives meeting on June 27 with Communications and Information Minister Budi Ari Setiadi and National Cyber and Encryption Agency chief Hinsa Siburian, it was revealed that the cyberattack compromising the temporary National Data Centre (NDC) in Surabaya was caused by malicious software called Brain Cipher Ransomware.
The attack began with the deactivation of Windows Defender, followed by the installation of malicious files, the deletion of important file systems and finally, the deactivation of ongoing service operations at the NDC.
It turned out that the NDC did not have complete backups of the data it kept, which is unforgivable to many, as we are talking about a national database on which Rp 700 billion (US$42.7 million) of the state budget has been spent thus far, though this comes as no surprise.
Given that the comprised data can be deemed personal data, let us examine the incident through the lens of the Personal Data Protection (PDP) Law.
Cyberattacks are a constant threat in the digital era, but the issue is whether we have an adequate security system that is reliable and secure. In a case of data protection failure, which will likely happen, it is whether we have the procedures for handling and recovering from such a failure. These are the essence of the PDP Law.
Unfortunately, we cannot help but point our finger at the Communications and Information Ministry over this incident. Despite Telkomsigna being the NDC’s operator, the PDP Law would categorize the ministry as the personal data controller (PDC) responsible for building the NDC and which exercises control over data processing.
The PDP Law imposes obligations on PDCs, including that they must protect personal data from unauthorized processing and prevent illegal access to personal data by adopting a security system that is reliable, secure and responsible.
