JAKARTA - Indonesia's newly formed data protection task force is chasing down a hacker behind a series of data leaks related to 1.3 billion registered mobile phone numbers and 105 million voters, and a log of the President's correspondence, among others.
The hacker, who goes by the pseudonym of Bjorka and claims to be based in Warsaw, Poland, has been selling stolen data, including that from Indonesian state-owned enterprises, mobile phone operators and general election commission, on hacking forum BreachForums in the past few weeks.
Bjorka has also leaked a log of incoming and outgoing confidential documents between President Joko Widodo and the State Intelligence Agency.
The hacker also posted personal data of public figures such as Coordinating Minister for Maritime Affairs and Investment Luhut Pandjaitan and Communication and Informatics Minister Johnny G. Plate. The details leaked included phone numbers, identity numbers, and vaccine numbers.
The day after a senior informatics applications official appealed to Bjorka to stop leaking Indonesians' personal data at a press conference on Sept 5, the hacker boldly told the government to "stop being an idiot" in a BreachForums post.
Bjorka's intention, the hacker said in a tweet on Sept 10, was to show how easy it is "to get into various doors due to a terrible data protection policy", "primarily if it is managed by the government".
On Twitter, Bjorka also said those investigating the hacking would not know where to start looking, and taunted public figures such as State-Owned Enterprises Minister Erick Thohir, telling him to give up his presidency hopes.
At least three of Bjorka's Twitter accounts have been suspended.
Coordinating Minister for Political, Legal, and Security Affairs Mahfud MD last Wednesday called on the public to remain calm, claiming no crucial systems were hacked and no state secrets were leaked.
The leaks "only occurred to general data pertaining to the President's correspondence. Until now, their content has not been leaked", he said.
He added that authorities have identified Bjorka and the hacker's location based on "tools that can track all the stuff".
Soon after the data protection task force was formed last Wednesday, the police interrogated a 23-year old man, identified by the initials MAH, in Madiun regency in East Java, where he sells drinks in a traditional market, Tempo reported.
The police have not confirmed if he is Bjorka, and the task force is investigating the recent incidents.
Indonesia, home to a booming digital economy, has seen massive data breaches since 2019 involving government agencies and private companies.
A major incident involved the leaking of social security details - including identity cards and family cards - of over 200 million citizens in the Healthcare and Social Security Agency's database in May last year.
This was a "top of the line" breach, said experts, who criticised the lack of adequate responses in past breaches.
"The data leaked by Bjorka is actually lesser in quality and quantity than those leaked previously," digital forensic expert Ruby Alamsyah told The Straits Times. "But, thanks to the hacker, the personal data leaks have come into the spotlight tremendously."
He noted that prior to BreachForums, Bjorka had sold leaked data from other countries at RedForum, one of the biggest Dark Web destinations for stolen data, which was shut down by the US Justice Department in April.
Mr Ruby, chief executive of Jakarta-based Digital Forensic Indonesia, underlined that instead of focusing only on the latest data breach, the task force should also investigate similar leaks since 2019 and at least, get "lessons learned from the past cases" to avert similar incidents in the future.
"It's better for the task force to improve data management. Relevant institutions just denied data leaks in the past few years and did not enhance their data protection, and therefore, there have been recurrent data leaks," Mr Alfons Tanujaya, an IT security specialist at Vaksincom, told ST.
"If Bjorka is arrested, but the data continues to be leaked, within three to six months there will be other Bjorkas exploiting the breached data."
Parliament is expected to pass the Personal Data Protection Bill within a month, said Dr Mahfud.
When the Bill is passed into law, government institutions and private companies will be pushed to enhance their cyber security, both Mr Ruby and Mr Alfons said. This is because any data leaks will result in financial penalties and criminal sanctions.
"Logically, due to the fine and sanctions, all parties will be well-prepared, ensuring that their cyber security is better than the past and data leaks can be averted," said Mr Ruby.
"If there's a leak, the public can demand accountability and compensation because of the existence of a valid legal basis."