In a screenshot posted on Twitter on Saturday, Dark Tracer, an intelligence platform that monitors malicious activities in cyberspace, revealed that a hacker group known as the LockBit ransomware had claimed to have stolen 1.5 terabytes of data managed by state-owned Bank Syariah Indonesia (BSI).

The hacker group, which uses malicious software LockBit 3.0 that blocks user access to computer systems, claimed to hold BSI’s data, including its customers' and employees’ contact details, financial documents, card details and passwords of the customers.

The hacker group demanded the bank management contact them to negotiate before 4:09 a.m. on Tuesday, otherwise they would release all the data on the dark web.

The alleged data breach first surfaced on May 11, when BSI chief executive Hery Gunardi told a press briefing that the bank has found indications of a cyberattack that caused disruption to all services at BSI, including its mobile banking, ATMs and branch offices from May 8. But as of May 11, all of its services had been recovered.

He apologized to BSI customers for the service disruption and said that “customer funds and data are safe”, as quoted by Kompas.id.

BSI did not respond to The Jakarta Post’s question about the demands by the hacker group.

Read also: Cyberattacks bound to rise ahead of 2024 polls: SAFEnet

Cyber and Crypto Agency (BSSN) spokesperson Ariandi Putra said on Monday the agency had communicated with the BSI information technology team, which had independently investigated the alleged cyberattack, recovered its electronic system and increased the bank’s digital security.

“The results of the coordination concluded that the BSI cyber team would [continue to] handle and repair the system independently,” Arianto said on Monday, adding that BSI would report any updates to the Financial Services Authority (OJK), Bank Indonesia, the police and the BSSN.

The OJK, meanwhile, has also pledged to continue ensuring the digital security of the banking sector, while calling on bank management to improve the security of their electronic systems.

Read also: House passes long-awaited privacy bill

Cybersecurity expert Pratama Persadha of the Communications and Information System Security Research Center (CISSReC) said electronic service providers must regularly assess their cybersecurity systems to prevent potential cyberattacks or data breaches.

He added that BSI should not negotiate with the hacker group, which had been threatening electronic service providers in various countries since 2019, as it did not guarantee that the data claimed to be stolen would not be sold on the dark web. Instead, he suggested that BSI work with the BSSN to handle the incident.

Breach over breach

A string of cyberattacks against state institutions over the past few years, including a state insurer, a telecommunications company and the Indonesian Child Protection Commission (KPAI), led policymakers to enact the long-awaited Personal Data Protection Law in October last year.

Read also: Care and protect?: Apparent govt health app breach raises deeper data concerns

The government was back in the spotlight for failing to protect citizens’ data following an alleged breach of COVID-19 tracking app PeduliLindungi in November – the second apparent hack of a state database since the privacy law was enacted.

The law grants citizens more control over their personal information online and seeks to spur cybersecurity improvements by requiring data controllers and processors to ensure the rights of “data subjects” and the security of their data, including by setting up firewalls and encryption systems. The law, however, gives data handlers two years to build their security systems, and the data protection oversight agency that it calls for to administer sanctions and fines has not been established to date.

Institute for Policy Research and Advocacy (Elsam) executive director Wahyudi Djafar said the Communications and Information Ministry had no choice but to continue the oversight role, as mandated by the 2019 government regulation on electronic systems and transactions until the prescribed oversight agency was formed. The 2019 regulation uses the Electronic Information and Transactions (ITE) Law, a draconian law that has long been used to silence critics and currently is being revised at the House of Representatives, as its basis instead.