The hacker known as Bjorka – who made an enemy of the government by allegedly leaking the private data of members of the ruling political elite – offered some 3.2 billion personal data entries from health surveillance application PeduliLindungi for sale on an online forum on Nov. 15.

The same hacker had put up 44 million personal data points apparently belonging to users of fuel payment app MyPertamina up for sale on the same forum five days earlier.

Communications and Information Minister Johnny G. Plate told House of Representatives lawmakers on Wednesday that his office and the Cyber and Crypto Agency (BSSN) were still investigating the multiple breaches and verifying the authenticity of the stolen data.

“We asked [state oil and gas company] Pertamina for a statement, but there has been nothing official from them as of [Wednesday]. Meanwhile, we received an update from the Health Ministry on Nov. 17 stating that it was working with [state telecommunications firm] Telekom and BSSN to carry out a digital forensics examination,” he told House Commission I overseeing information and intelligence.

Johnny said at least five different data breaches had been reported to his office by both public and private electronic service providers (ESPs), including MyPertamina and PeduliLindungi, as well as gaming website Mobile Legend Forum and online marketplaces Lazada and Carousell.

Since 2019, the ministry has recorded 77 violations of privacy affecting 49 private firms and 28 public firms, with 33 incidents occurring this year alone.

In September, cybersecurity company Surfshark placed Indonesia in the top three most cyberattack-prone countries in the world for the third quarter of 2022.

Urgent transition

Data protection activists and other observers have urged the government to accelerate the implementation of the privacy law, considering that repeat cyberattacks have jeopardized the personal data of millions in recent months.

Institute for Policy Research and Advocacy (Elsam) executive director Wahyudi Djafar, for instance, said the state ought to implement the law ahead of the transition deadline, if only to allow data processors to adjust their systems to the new provisions.

“Within the two-year transition period, data processors require technical guidelines to improve their cybersecurity, so the would-be oversight agency and the relevant implementing regulations need to be formed at least a year before the deadline,” Wahyudi said in a statement.

The data privacy law requires the government to issue 10 different implementing regulations. Of these, nine are to be government regulations (PP) that touch on issues such as the rights of “data subjects”, the processing of private data and procedures for imposing administrative sanctions.

One other regulation, to be issued by the president, is required to form the oversight agency responsible for establishing data protection policy, resolving privacy disputes out of court and meting out sanctions and fines.

However, the government has been slow to follow through on the politically contentious legal process.

Internet security expert Ruby Alamsyah hoped the state would form the oversight agency as soon as possible to ensure the country could develop more robust digital security infrastructure capable of fending off attacks.

“The agency would act as a referee. So if the referee has not been determined, how will the law be implemented?” Ruby said.

Minister Johnny said his office was working with experts to draft the regulations and that they would be issued “in the near future”.

In the meantime, the transition into a more robust system would require a temporary fix, which Johnny said would be based on PP No. 71/2019 on electronic systems and transactions. This regulation requires ESPs to guarantee the security, reliability and efficiency of their systems.

In response to the minister’s statement, House Commission I lawmaker Nico Siahaan of the ruling Indonesian Democratic Party of Struggle (PDI-P) demanded that the state have at least some accountability for user data protection.

“If we use PP No. 71/2019, it is clear that the one responsible for overseeing [ESP] compliance is you, the minister. The problem is that we have never heard of any sanctions being imposed on ESPs when data is leaked,” he said at the hearing.