The stolen data has reportedly been published on the dark web after negotiations to accommodate the hackers demands failed. The leaked data includes sensitive information including banking and financial data, consumer transactions and personal data.

Alfons Tanujaya, a cybersecurity observer from Lilin.com, believes the hacking had been going on for quite some time, since the beginning of Idul Fitri on April 22. In observance of the Islamic holiday, the government declared a period of collective leave for civil servants from April 19 to April 25, which the banking industry followed.  

On May 8, it was stated that BSI customer data had been copied and encrypted by hackers. This process took quite some time due to the large amount of data, 1.5 terabytes, that had to be extracted.

Data breaches are not unusual for Indonesia. The BSI ransomware attack was only the latest in a series of similar attacks since the enactment of the Personal Data Protection (PDP) Law. These cases truly raise questions about the adequacy of Indonesia’s cybersecurity framework.

Ransomware is a type of malware that is designed to cause damage to computer systems, servers or computer networks. Other malware includes viruses, spyware, adware and ransomware. As a type of malware, ransomware is designed to prevent victims from accessing a system until a ransom is obtained.

Generally, ransomware involves hackers accessing computer networks through illegally obtained employee data. Once they gain access to the system, the hackers either employ an insider to install a flash disk into the computer workstation or use phishing attacks to gain sensitive information and login credentials.

When the system has been penetrated, hackers can easily access and download all the available information that is connected between the computer networks. While some attacks involving small amounts of data may take several hours to complete, larger extractions take days and even weeks to process.

However, the ransomware attack on BSI is quite unique. The malware used by Lockbit is often referred to as Ransomware as a Service (RAAS) and is commonly used to break into the security systems of banks all over the world. This type of malware can be categorized as dangerous because based on underground forums, Lockbit stated that they sell RAAS in the fastest encrypted software category worldwide.

The phenomenon of ransomware turned into a business model is categorized as an illegal service and enters the threshold of extortion whereby ransomware developers sell a ready-made malware to attackers or hackers to execute. The complexity and anonymity behind actors of ransomware makes it even more difficult for law enforcement to act. Even if the malware developers are caught, the RAAS customers may still be able to get away.

The advancement of technology in Indonesia has led to an evident escalation in the sophistication of hackers' methods for carrying out their activities. This is evidenced by the proliferation of various types of viruses or malware that target government and educational institutions, banks, media outlets and individuals. Every member of the public and private sectors is susceptible to cyberattacks and Indonesia has had a sizable experience such as the Tokopedia data breach,  the General Elections Commission (KPU) breach and the government Peduli Lindungi app breach.

In early 2022, via the Dark Tracer account, Bank Indonesia was confirmed to have been hit by an attack from the Conti ransomware hacker. It said the hacker group was based in Russia under the pseudonym Wizard Spider and used phishing attacks to install Trojan Trickbot and BazarLoader with the aim of gaining remote access.

In the same month, a ransomware attack occurred in the Directorate General of Taxes (DGT) system. This was traced through a taxpayer accessing the DGT's website which had been hit by a malware virus before. Still in the same year, in November a ransomware attack targeted Air Asia airlines with confirmation of the leak of 5 million passenger and employee data by the hacker group Daixin Team

Indonesia does not have a specific cybersecurity law to date. The existing legal bases are the Electronic Information and Transactions (ITE) and PDP laws, which are sufficient to address cyber-related and data protection offenses but fall short of addressing the protection of information infrastructure or the need for human capital in the field of cybersecurity.

Nonetheless, as one of the first cases after the enforcement of the PDP Law, the BSI ransomware attack could be an opportunity for the law to show its teeth and enforce the provisions of personal data protection law in Indonesia. The criminal and administrative sanctions set under the PDP Law are enforceable against individuals and corporations found to have committed data protection offenses.

Notwithstanding the existing legal framework, Indonesia still urgently requires a specific law to address cybersecurity along with a national strategic plan that sets out priorities in protecting the national cyber infrastructure.

The reliance on the cybersecurity system is highly important to protecting Indonesia from cyberattacks. It is crucial for the government and other stakeholders to establish a shared understanding in cybersecurity management. A solid legal framework must be sought to enable coordinated responses and heighten awareness regarding potential threats.

Additionally, cybersecurity awareness should be enhanced. A good knowledge or ability to carry out security practices when using internet network sites and understanding the importance of protecting personal data is crucial. Not only for government institutions, but also for organizations, companies and individuals who use the internet.

Practically speaking, awareness of cybersecurity could be advanced in a few ways, such as by periodically updating passwords or PINs, diligently creating backups of computer data, consistently installing the most recent antivirus software and downloading upgraded software or operating systems.

In particular, as the election nears, cyberattacks are not only a concern for government institutions but also for media companies and individuals. In a study by SAFEnet, reported on by The Jakarta Post, there was found to be a high risk of an increase in cyberattacks in periods of political significance.

These concerns raise an alarm that cybersecurity is not merely an institutional matter but requires a multi-stake and civil society approach as well.

 ***

Haekal Al Asyari is a lecturer of law at Gadjah Mada University and a PhD scholar at the University of Debrecen in Hungary. Elfian Fauzy is a lecturer in law at Indonesian Islamic University (UII) Yogyakarta and a member of Indonesian Data Protection Practitioners Association (APPDI).

Popular

PDI-P will likely be part of opposition: Ganjar

Indonesia one step from Olympics after beating South Korea

Bahlil leads task force to boost sugar, bioethanol production in Papua