BSI corporate secretary Gunawan A. Hartoyo said on Tuesday that the data and funds of all customers were safe, adding that its customers could use its services as usual.

"We hope that customers remain calm [...] we assure that all transactions are secure," Gunawan said, without directly addressing the allegedly stolen data that were released on Tuesday.

He also vowed to review the bank’s electronic system regularly and improve its cybersecurity system. He added that the bank would be working with the relevant authorities, including the Financial Services Authority (OJK), Bank Indonesia and the National Cyber and Encryption Agency (BSSN) to solve the alleged cyberattack.

On Tuesday, Dark Tracer, an intelligence platform that monitors malicious online activities, posted on Twitter a screenshot of chat logs allegedly related to negotiation between the LockBit ransomware group and BSI, in which the group demanded a ransom of US$20 million.

LockBit, which uses malicious software LockBit 3.0, claimed to have stolen 1.5 terabytes of data managed by BSI. The group added that it had published some data samples on the dark web on May 16 and had kept the most interesting data for further “exploitation”, as the negotiation with BSI had failed.

The cyberattack caused a disruption to all BSI’s services, including its mobile banking, ATMs and branch offices, from May 8 until all services were restored on May 11.

BSI has apologized to its customers for the service disruption.

It was the latest alleged cyberattack targeting a state or state-owned institution since lawmakers enacted the Personal Data Protection Law in September 2022. The law grants people more control over their personal information and requires organizations that collect, manage and process personal data to ensure their security and to set up firewalls and encryption systems.

The law gives a grace period of two years for organizations to install security systems, however, while the data protection oversight agency it mandates to administer sanctions and fines is yet to be established.

Information and public communication director general Usman Kansong of the Communications and Information Ministry has neither confirmed nor denied the alleged data breach targeting BSI or the alleged sale of stolen BSI data on the dark web.

He only said that “if there was indeed a data breach, it falls under the authority of the BSSN, which is in charge of cybersecurity”, adding that “the ministry, as a regulator, always coordinates with the BSSN”.

Under the 2019 government regulation on electronic systems and transactions, the communications ministry is responsible for overseeing the protection of personal data until the mandated oversight agency is formed.

The BSSN had not responded to The Jakarta Post’s request for comment by the time of publishing.

According to Wahyudi Djafar, executive director of the Institute for Policy Research and Advocacy (Elsam), the two-year grace period is “a critical time for regulators to ensure data controllers and processors are implementing measures to protect personal data and how they respond to any cybersecurity incidents”.

Wahyudi added that the communications ministry had no choice but to maintain its oversight role until the data protection oversight agency was set up.

The 2019 government regulation is derived from the Electronic Information and Transactions (ITE) Law, which has long been criticized as a draconian law used primarily to silence government critics. The House of Representatives is currently revising the ITE Law.