An account with the username Kotz claimed on online hacking forum radforums.com on May 12 to have the personal data of 279 million Indonesians, alive and deceased. The information consisted of full names, ID card numbers, email addresses, phone numbers, dates and places of birth, as well as salary details.

The information allegedly belongs to national health insurance (JKN) policyholders, which is managed by the Health Care and Social Security Agency (BPJS Kesehatan).

Kotz’s post and resulting replies were no longer available on raidforums.com as of Tuesday.

The Communications and Information Ministry previously said it was investigating the alleged data breach and had taken down download links Kotz had allegedly provided for data on 2 million people as a sample. The ministry has also blocked access to raidforums.com for Indonesian internet users.

Read also: Alleged breach of BPJS data points to Indonesia's weak data protection: Experts

During a press briefing on Tuesday, BPJS Kesehatan did not acknowledge that the leaked data had come from its database. Previously, the Communications and Information Ministry said it had found indications that the information was identical to BPJS Kesehatan’s data “as it contains BPJS Kesehatan participant information, like JKN identity numbers and [premium] payment statuses”.

“BPJS Kesehatan has also taken legal measures by reporting this case to the National Police’s Criminal Investigation Department [Bareskrim] because this is a violation of prevailing laws and can incur material and nonmaterial losses for the agency,” said BPJS Kesehatan president director Ali Ghufron Mukti.

He added that the agency had made efforts to protect its policyholders’ data by, among other measures, implementing ISO/IEC 27001 information security management standards and operating a security operation center for its database.

A 2020 National Cyber and Crypto Agency (BSSN) regulation requires all public and private electronic system providers (PSE) to apply security measures according to ISO/IEC 27001 standards to ensure the security of the personal data they manage. Any party found not applying the security measures will be given administrative sanctions by the BSSN, which may range from a warning to a suspension or revocation of the provider’s security license.

“BPJS Kesehatan has implemented multiple security layers according to the latest standards. But people can still hack [into our system] because of the dynamic nature of the hacking world,” Ali said. 

While the agency assured that the alleged data leak had not affected the services of healthcare facilities or BPJS Kesehatan’s branch offices, it is working on mitigation efforts to prevent any disturbances in insurance services.

Ali also urged policyholders to contact BPJS Kesehatan’s hotline at 1500400 or the nearest branch office if anyone asks them for private data related to their insurance policy.

While the investigation has yet to confirm whose data had been leaked and how the database could have been hacked, experts warned that the information could have already been used by cybercriminals or other parties.

“Anyone can obtain that massive amount of data and do almost anything they want with it with only just 2 Bitcoins [US$75,768], such as [unlicensed] peer-to-peer lenders,” Southeast Asia Freedom of Expression Network (SAFEnet) cybersecurity division head Abul Hasan Banimal told The Jakarta Post.

Read also: Data protection law vital for digital age

Ethical Hacker Indonesia cofounder and cybersecurity consultant Teguh Aprianto created website periksadata.com/bpjs for Indonesians to check whether their data had been leaked in the alleged data breach. Users can check whether their data has been compromised by submitting their BPJS Kesehatan card number.

The website utilizes the sample data uploaded at raidforums.com. Kotz said the sample contained the data of over 1 million people, although the Communications and Information Ministry later claimed that only around 100,000 entries from the sample were valid.

“In the event of a personal data breach, there’s little we can do except demand that authorities investigate the incident and report their results transparently to the public,” Teguh said.

He slammed the BPJS Kesehatan for allowing the incident to happen, despite its claims of multilayer security measures adhering to ISO/IEC 27001 standards.

Teguh also alleged that some companies and institutions might have claimed to have obtained the international certification but later loosened their security standards during regular operational periods.