TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Latest data 'breach' sees fresh calls for oversight
Millions of passport holders’ details offered for sale online.
Change Size
A
n alleged data breach affecting millions of Indonesian passport holders has renewed calls for the establishment of an independent oversight agency to ensure effective protection of personal data.
Cybersecurity analyst Teguh Aprianto revealed on Wednesday on his Twitter account (@secgron) that pseudonymous hacker Bjorka had breached and offered 4 gigabytes of passport data belonging to 34.9 million Indonesian citizens for US$10,000.
The data contains the individual’s full name, passport number, date of expiry, date of birth and their gender.
Teguh had analyzed around 1 million samples that Bjorka had posted on a hacker platform and concluded that the data was genuine.
The Communications and Information Ministry immediately launched an investigation into the alleged cybercrime, but said it could not confirm the breach.
Usman Kansong, the ministry’s information and public communication director general, pointed to several differences in the data structure between Bjorka’s samples and those in the national data center, Antara reported.
The communications ministry is continuing its investigation in coordination with the National Cyber and Encryption Agency (BSSN) and the Immigration Directorate General of the Law and Human Rights Ministry.
If the data breach had indeed happened, the leaked passport data could be used to commit other cybercrimes against the passport holder, said cybersecurity analyst Alfons Tanujaya. For example, a hacker could use the leaked data to steal passwords to gain illicit access to the passport holder’s other digital accounts.
The leaked data could also be used to make counterfeit passports, Alfons added, though individuals with biometric passports might be more protected, as these contained electronic chips with encrypted data.
“However, leaked data from electronic passports can still be exploited, as the dataset is no different from [conventional] passports,” he said.
Oversight needed
The passport data breach is the latest hacking incident in the country.
According to the communications ministry, at least 94 incidences of data breaches were recorded between 2019 and mid-2023.
Some of the breaches occurred after the House of Representatives passed the Personal Data Protection Law last September. Two months later, Bjorka claimed to have stolen 3.2 billion data entries belonging to users of the PeduliLindungi official COVID-19 tracing app, now renamed SatuSehat.
More recently in May, a ransomware group called LockBit claimed to have stolen 1.5 terabytes of data managed by state-owned Bank Syariah Indonesia (BSI).
The alleged passport data breach showed that the data managed by public institutions are the most vulnerable, despite regulations that mandated data protection even before the data protection law was passed. According to current regulations, the communications ministry is responsible for the government's data protection efforts.
“These incidents show that there is inconsistent implementation of security standards and data protection by the government,” said Wahyudi Djafar, executive director of the Institute for Policy Research and Advocacy (Elsam) human rights group.
Proper implementation of earlier regulations on data protection should have set the benchmark and best practices for implementing the Personal Data Protection Law, he added.
The new law mandates improvements in cybersecurity by requiring data controllers and processors to guarantee the rights of data subjects and ensure the security of their data, including by setting up firewalls and encryption systems.
The law also mandates the government to set up a national oversight agency on data protection. This agency is also authorized to impose administrative sanctions and nonjudicial fines on data controllers or processors that breach the rights of data subjects.
But the agency is still yet to be established, as the government is still drafting regulation on the new agency and targeting a public review by the third quarter of this year.
“We expect the agency will be formed by the end of this year,” said Semuel Abrijani Pangerapan, the the ministry’s applications and informatics director general.
Not enough deterrence
How effective the agency will be in holding to account public institutions that fail to protect personal data is under question. In the case of a data breach, the Personal Data Protection Law only stipulates administrative sanctions for data controllers at the institution responsible.
“There won’t be any deterrent effect for public institutions,” Wahyudi said. “The risk for users as data subjects is bigger.”
The alleged passport data breach clearly showed that the oversight agency would need to be independent and strong enough to enforce the compliance of public institutions, he added. He also urged President Joko “Jokowi” Widodo to speed up the oversight agency’s establishment to mitigate the risk of future data breaches.
