Indonesia probes alleged hacking of Covid-19 test data

The alleged hacker posted an offer of $419 for the entire set of leaked data. PHOTO: EPA-EFE

JAKARTA - The Indonesian government has denied claims that details of 230,000 people who took Covid-19 tests have been leaked online, but is investigating the alleged hack.

Communication and Information Minister Johnny Plate said the ministry and the National Cyber and Encryption Agency were following up on information about the data breach.

"The Covid-19 database and the results of the examinations at the ministry's data centre are safe," he told The Straits Times in a text message on Sunday (June 21).

The ministry has developed an application called "PeduliLindungi", which seeks to trace and track those testing positive for Covid-19. Millions of people have downloaded it from the Google Play Store and Apple's App Store since its launch in March.

The ministry will also be assessing data centres in other ministries and government institutions to ensure they have not been hacked, said Mr Johnny.

Separately, the National Cyber and Encryption Agency (BSSN) on Sunday denied the database breach.

"BSSN has coordinated with the Health Ministry and the (Covid-19) Task Force to ensure there was no illegal access (to the database) resulting in the data leakage in the electronic system and active information assets of the Covid-19 pandemic management," BSSN spokesman Anton Setiyawan was quoted as saying by Antara news agency.

The reports of the breach arose after an alleged hacker with the username, "Database Shopping," offered to sell the personal data of people undergoing Covid-19 testing in Indonesia.

The alleged hacker, who posted the offer on database sharing and marketplace RaidForums, displayed a set of leaked data and asked for US$300 (S$419) for the entire set.

The data displayed included names, addresses, phone numbers, ages and nationalities, as well as medical records of people who underwent Covid-19 tests in a number of hospitals in Bali, Indonesia's tourism hotspot.

"I sell it to the enthusiast," the alleged hacker said in the post on Thursday.

The hacker said he had similar data from other Indonesian regions, including Jakarta and West Java provincial capital Bandung, Kompas reported.

One cyber-security expert was quoted as saying that based on what was posted, it appeared that the data did not come from hospitals but from the database server.

"The bad news is that the server of the main database has weaknesses and could be hacked," Mr Alfons Tanujaya told Kompas TV. "We must believe what the Communication and Information Minister said, but we cannot deny the data is there in the RaidForums."

When asked about the alleged data breach, the government spokesman on Covid-19 management, Dr Achmad Yurianto, told The Straits Times: "This issue has been handed over to the Communication and Information Ministry and the National Police's criminal investigation department."

Cases of data breach have been surging in Indonesia, home to a big number of tech-savvy Internet users. The latest occurred in May when a hacker offered the personal data of 15 million users of Tokopedia, the country's biggest e-commerce platform. The hacker also posted the offer on RaidForums, asking US$5,000.

The situation has raised concerns about the need of a law to protect citizens' privacy. Parliament has put the Personal Data Protection Bill on its priority list for this year, but it has yet to be passed.

Join ST's Telegram channel and get the latest breaking news delivered to you.