Election organizers must ensure the voter roll database that contains highly sensitive personal information of all voters is safe from cyberattacks, activists have warned, amid a recent spate of data breaches that have exposed Indonesia’s lackluster data protection efforts.

The General Elections Commission (KPU) presented the national voter roll last week following a lengthy verification process. There will be 204 million Indonesians eligible to cast their votes on the Feb. 14 voting day next year.

The commission stores the voters’ personal data in its own database, called SIDALIH, which is linked to the Home Ministry’s civil registry. Among the personal data stored are full names, addresses, dates and places of birth and ID and family card numbers.

The KPU needs to follow provisions mandated by the Personal Data Protection (PDP) Law to make sure the SIDALIH is free from data breaches, said the Institute for Policy Research and Advocacy (Elsam) human rights group.

Passed last September, the PDP Law is largely deemed a step forward in Indonesia’s data protection efforts. One important provision is mandating data controllers and processors to guarantee the security of the data, including by setting up firewalls and encryption systems.

“[SIDALIH] is at higher risk of being exploited due to the scale of the data, both in terms of amount and its type,” Elsam executive director Wahyudi Djafar said in a statement on Monday.

The law also gives data owners, in this case voters, the right of consent to how their personal data is stored and used, as well as who can access it.

Among issues highlighted by Elsam with the KPU’s SIDALIH is the unclear provision whether the commission will permanently delete the data after the general election concludes or keep it as a reference for future elections.

“If they want to keep it for a long time, how can they ensure the security of this kind of data?” Wahyudi said.

Another issue is the fact that political parties participating in next year’s election would have access to KPU’s voter base data, as mandated by the 2017 General Election Law.

Wahyudi urged the KPU to work closely with the Communications and Information Ministry to create guidelines on data access by election organizers and political parties. The ministry later can proactively monitor the implementation while keeping data only necessary for the elections. The National Cyber and Encryption Agency (BSSN) also needs to make sure SIDALIH’s safety protocols are up to par, he added.

The KPU assured it had been doing its best on the voter roll database safety, said commissioner Betty Epsilon Idroos. Measures taken include keeping the database on its own server. The KPU had also formed a data-safety task force with the communications ministry, the BSSN, the National Police’s cyber security division and the State Intelligence Agency (BIN).

“The task force has run several penetration tests. Everything is working properly,” she told The Jakarta Post on Tuesday.

Elsam’s warning came days after an alleged data breach by notorious pseudonymous hacker Bjorka leaking the data of 35 million Indonesian passport holders. The hacker was also behind the alleged leak that happened late last year of 3.2 billion entries belonging to users of the PeduliLindungi official COVID-19 tracing app, now renamed SatuSehat.

A ransomware group LockBit claimed in May to have stolen 1.5 terabytes of data managed by state-owned Bank Syariah Indonesia (BSI).

The string of data leaks have intensified calls for the establishment of a data protection oversight agency, as mandated by the PDP Law. The establishment of the agency, which answers to the President, is currently waiting on a presidential regulation.

The Communication and Information Ministry recently said the agency would be formed by the end of this year.

Popular

BI governor announces policy shift as rupiah slides

Deconstructing conflict in Papua: A land beyond vacancy

Indonesia starts ASEAN-S. Korea methane mitigation program