TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Alleged breach of BPJS data points to Indonesia's weak data protection: Experts
To date, the agency manages around 224 million active JKN participants, or about 82 percent of the Indonesian population.
Change Size
T
he private information of more than 200 million Indonesians is believed to have been stolen and offered up for sale by alleged hackers, adding to a string of hacking incidents that experts say are a tell-tale sign of the country’s weak data protection system.
In a May 12 post on online hacking forum raidforums.com, an account with the username Kotz claimed to have the personal data of 279 million people, alive and deceased, including their full names, ID card numbers, email addresses, phone numbers, dates and places of birth, as well as salary details. The information allegedly belongs to national health insurance (JKN) policyholders. Kotz is offering access to the date for 2 Bitcoin, or roughly US$74,906 (Rp 1 billion). Kotz initially provided a link to three separate file-sharing websites on which data on 2 million people could be downloaded as a sample, but later deleted the post and denied having offered to sell the data.
Health Care and Social Security Agency (BPJS Kesehatan), which manages the JKN, said on Thursday it was looking into whether the leaked data had originated from the JKN or other sources, with spokesperson Iqbal Anas Ma’ruf reiterating the agency’s commitment to protecting the data of their policyholders. Iqbal said the agency applied multiple layers of a stringent data security system.
To date, the agency manages around 224 million active JKN participants, or about 82 percent of the Indonesian population.
The Communications and Information Ministry is also investigating the alleged data breach and has so far found that only 100,000 entries of the already leaked 1 million were valid. The ministry has taken down the download links on bayfiles.com, mega.nz and anonfiles.com. Access to raidforums.com has also been blocked.
“We also found indications that the data was identical to BPJS Kesehatan’s data as it contains BPJS Kesehatan participant information, like [JKN] identity numbers and [premium] payment status,” ministry spokesperson Dedy Permadi said on Friday.
He added that the ministry had questioned BPJS Kesehatan’s board of directors on Friday and ordered the agency to coordinate its investigation with the ministry and the National Cyber and Encryption Agency (BSSN), and share with them all of its findings.
Experts have said that the incident showed the vulnerability of personal data protection in Indonesia and the urgency to pass a much-awaited personal data protection bill, known as the PDP Bill, into law.
It was the second massive breach detected in Indonesia in about a year. The database of up to 91 million users of Indonesian e-commerce platform Tokopedia — which included email addresses, encrypted passwords and names — had been breached and was up for sale last year in May. Tokopedia confirmed the breach and claimed it had ensured its users’ personal data but still urged users to change their passwords.
“The absence of a comprehensive personal data protection law has caused problems in personal data protection, both in the public sector and in the private sector,” Wahyudi Djafar from the Institute for Policy Research and Advocacy (ELSAM) said on Saturday.
Last year, ELSAM identified 46 problematic regulations on personal data management, ranging from citizenship data to personal information related to banking transactions, none of which properly define and protect personal data.
Wahyudi said the BSSN should also investigate whether BPJS Kesehatan has updated its data security and adhered to the international standards of ISO/IEC 27001 on the management of information security, also mandated by a 2020 BSSN regulation.
“[Security management systems] must be constantly be updated [to prevent] cyberattacks.”
Communication and Information System Security Research Center (CISSReC) chairman Pratama Prasadha said all government ministries and agencies must cooperate with the BSSN to conduct forensic digital audits of their databases and check possible security holes to prevent future data breaches.
“The [BPJS Kesehatan] data breach could have been used for crimes such as phishing or other kinds of social engineering,” Pratama said in a statement on Thursday.
Even though the data offered for sale was incomplete, cybercriminals might still be able to make detailed profiles of their targeted victims by comparing or combining other available information, he said.
