A. Muh. Ibnu Aqil

The Jakarta Post/Jakarta

The private data of millions of Indonesian citizens and corporations are at an increased risk of being exposed, amid the pandemic-influenced rise of remote work and a lack of robust personal privacy legislation.

The country has seen at least five data breaches in August alone, two of which allegedly impacted state-owned firms holding the data of millions of customers. The data is now up for sale, according to hacking forum Breach Forums.

In a now-deleted discussion thread posted on Aug. 18, a member of the forum with the username loliyta claimed to be offering the personal data of some 17 million customers of state-owned electricity firm PLN, including names, addresses, customer ID numbers, kilowatt-per-hour usage and electricity meter numbers.

PLN said in a statement on its Twitter account on Saturday that it was conducting an investigation into the alleged data breach with the Communications and Information Ministry and the National Cyber and Encryption Agency (BSSN).

The company claimed that its actual customer data system had remained secure and that the alleged leaked data was only a copy of public data taken from a customer data dashboard app, not real-time transaction data.

Another forum member, Bjorka, claimed to be holding some 26 million data entries belonging to IndiHome, an Internet service provider owned by state-owned telecommunications firm Telkom. The breached data allegedly included full names, email addresses, genders, national ID numbers, IP addresses and customer browsing history.

Telkom denied the claim, saying the story of the leaked data had been fabricated and that its data was stored in an “integrated cyber security system”.

The government had summoned the two state-owned companies for clarification, said the information ministry’s applications and informatics director general, Semual Abrijani Pangerapan.

Breach Forum users also claimed to be selling 347 GB of confidential documents belonging to some 21,700 Indonesian companies and branches of foreign companies operating in Indonesia, 14 GB of data from Pendidikan Indonesia University students and 500,000 data entries from Gianyar regency in Bali.

Pratama Persadha of the Communications and Information System Security Research Center said the rate of data breaches had increased during the pandemic as more people began working from home with weak internet security systems.

The BSSN, he said, had recorded an increase in internet traffic anomalies – such as DDoS attacks, wherein hackers try to overwhelm and freeze websites with access requests – from around 800 million in 2020 to 1.6 billion in 2021.

“Working from home has increased the risk of data breaches because a lot of people access their employers' [online] systems from home or other locations outside the office,” he said.

He added that the country’s lack of data privacy laws had exacerbated the situation, as the government was not ensuring that electronic system providers secured user data or set uniform standards.

“The result is that when a data breach happens, nobody feels responsible and everybody feels like a victim,” Pratama said.

He urged the House of Representatives and the Communications and Information Ministry to quickly enact the personal data protection bill to hold electronic service providers accountable for any failures to protect private data.

The private sector, he added, should proactively improve its cyber security practices and the public should be more aware of data privacy.

Deputy chair of House Commission I, Abdul Kharis Almasyhari, said the legislative body would soon finish deliberations on the bill.

“We hope that by September the bill can be signed into law,” Kharis said on Wednesday. He did not elaborate when asked if there were any specific points of contention holding up the bill.

The legislation seeks to clarify how state agencies are to handle data privacy cases and ensure that action is taken to protect private data, said commission member Bobby Adhityo Rizaldi. (ahw)