Indonesia is pushing ahead with a data protection law, following a series of high-profile data breaches in recent months at some of its biggest e-commerce companies.

The legislation - due by the end of the year - will make it illegal to collect consumer data without permission and requires businesses to alert customers within days of knowing that their names, e-mail and other information had fallen into the wrong hands.

The proposed law, which includes fines of up to 210 billion rupiah (S$20.3 million) for corporations and up to seven years in prison for individuals, reflects growing concern among Indonesia's quickly growing cohort of online shoppers that companies and the government are failing to keep their personal information safe.

Indonesia's State Cyber and Crypto Agency (BSSN) has said the country had more than 98 million cyber attacks last year - up from 12 million a year earlier.

Mr Ardi Sutedja, who helped found BSSN and is now chairman and founder of the non-profit Cyber Security Forum, said more attacks are going unreported by companies eager to avoid spooking customers and investors.

"This is just the tip of the iceberg," Mr Ardi said.

In early May, news broke on Twitter that online mall Tokopedia had suffered Indonesia's biggest data breach with the theft of personal data, including e-mails and passwords for 91 million accounts, which were put on sale on the Dark Web.

Earlier this month, local media reported that the data, which can be used as fodder for phishing scams, had resurfaced for sale for the equivalent of $15.

Days after the Tokopedia heist, smaller rival Bhinneka, which specialises in business supplies, revealed that it, too, had been the victim of a hacking, which had gained access to 1.2 million accounts.

Also, in May, the country's election commission said the private information of 2.3 million voters had been illegally copied.

Late last year, e-commerce site Bukalapak found that hackers had made off with the personal data of 13 million accounts.

NEW REGULATIONS Up until now, rules governing personal data have been scattered across myriad financial, telecommunications and employment regulations that have made it tough for consumers to hold businesses to account for misusing their information, analysts said.

Modelled after the European Union's 2018 General Data Protection Regulation, Indonesia's pending Personal Data Protection Bill allows owners of data to withdraw permission for the usage of the data, to be notified within three days of its theft, and to sue if it is stolen.

Atop this new regulatory structure in every company must be a data protection officer who can ensure the company is compliant - something Mr Ardi says will cost, on average, the equivalent of 10 per cent to 20 per cent of working capital to train staff and upgrade the information technology network.

The rules could not have come too soon.

The value of Indonesians' online purchases of plane tickets, home appliances, takeaway orders and other goods is expected to triple to US$130 billion (S$180.8 billion) by 2025, according to a study last year by Google, Temasek and Bain & Company.

After all that, the customs of everyday life may still put Indonesians in the cross hairs of digital bandits.

One example: IDs left at front desks to manage the flow of visitors to offices may still be recorded, their contents shared or dissected as the host wishes - something the new legislation so far fails to address.

Meanwhile, Tokopedia, which dropped from being Indonesia's 25th most visited site to 110th place after the hacking, has since clawed back some ground.

It now ranks 50th in a country where roughly two-thirds of the population of 270 million count themselves as Internet users.

Mr Ismail Fahmi, an analyst specialising in tracking hoaxes and social media, said Indonesian users are slow to learn from their online mistakes.

"It seems we never learn from the many accidents that happened before," Mr Ismail said.

"It's business as usual."