Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
After the personal data of over 279 million Indonesians were allegedly leaked and sold on a hacker platform this month, the Communications and Information Ministry has ordered Internet service providers to restrict access to data sharing site Raid Forums.
Threat actors have used the site to sell sensitive information in multiple cases, including those involving e-commerce platforms Tokopedia and Bukalapak.
And here we go. Full data of the entire country’s population. Including salaries and data of dead people. Personal data protec whaaaaaaat?? pic.twitter.com/yZpWp6xTe8
— Nuice Media (@nuicemedia) May 20, 2021
Ministry spokesperson Dedy Permadi released a statement saying that Raid Forums has been identified as a forum that shares content that violates the country’s laws.
As a measure to anticipate the wider spread of personal data, Kominfo has made the following efforts:
Raid Forums has been identified as a forum that spreads a lot of content that violates laws in Indonesia, so that the website, including an account called Kotz, is being blocked.
Links to download personal data, namely data links on bayfiles.com, mega.nz, and anonfiles.com have all been blocked.
The decision to restrict access to the website and the download links was widely ridiculed, as the government’s DNS-based blocklist can be easily circumvented with something as simple as a proxy or VPN application.
Together with the National Cyber and Encryption Agency, the Communications and Information Ministry ran a random check on 1 million data samples included in the leak, concluding that they “need to investigate further.”
The dataset was supposedly stolen from the Health Care and Social Security Agency (BPJS Kesehatan), which runs the nation’s health insurance program. The samples included unique data such as citizenship identity numbers, identity cards, phone numbers, email addresses, names, home addresses, and salaries. The ministry contacted the board of directors of BPJS, urging them to conduct an internal investigation and formulate a plan to prevent future breaches.
For the time being, authorities have not determined the origin of the leak.
Sadly, since Indonesia doesn’t have laws allowing citizens to sue companies or institutions for damages when their personal data is compromised, there are few options for recourse for the victims of the leak. The government and parliament agreed to add a clause on violations in the handling of personal information in its data protection bill.
Even though legislators intended to pass the bill into law in early 2021, things have been moving slowly, giving the impression that data protection is not a priority for Indonesia.
Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.
