Indonesia probing alleged Covid-19 test data breach

The Indonesian government has denied claims that details of 230,000 people who took Covid-19 tests have been leaked online, but says it is investigating the alleged hack.

Communication and Information Technology Minister Johnny Plate said the ministry and the National Cyber and Encryption Agency were following up on the case.

"The Covid-19 database and the results of the examinations at the ministry's data centre are safe," he told The Straits Times in a text message yesterday.

The ministry has developed an application called PeduliLindungi, which seeks to trace and track those who test positive for Covid-19. Millions of people have downloaded it from the Google Play Store and Apple's App Store since its launch in March.

The ministry will also be assessing data centres in other ministries and government institutions to ensure they have not been hacked, said Mr Plate.

Separately, the National Cyber and Encryption Agency yesterday denied the database breach, local media reported.

Reports of the breach arose after an alleged hacker with the username "Database Shopping" offered to sell the personal data of people undergoing Covid-19 testing in Indonesia.

The alleged hacker, who posted the offer on database sharing and marketplace RaidForums, displayed a set of leaked data, asking US$300 (S$420) for the entire set.

The data displayed included names, addresses, phone numbers, ages and nationalities, as well as medical records of people who underwent Covid-19 tests in a number of hospitals in Bali, Indonesia's tourism hot spot.

"I sell it to the enthusiast," the alleged hacker said in the post last Thursday.

The hacker claimed he had similar data from other Indonesian regions, including Jakarta and West Java provincial capital Bandung, Kompas reported.

Cyber-security expert Alfons Tanujaya told Kompas TV that based on what was posted, it appeared the data came from the main database rather than from the hospitals.

When asked about the alleged data breach, the government spokesman on Covid-19 management, Dr Achmad Yurianto, told The Straits Times: "This issue has been handed over to the Communication and Information Technology Ministry and the national police' criminal investigation department."

Cases of data breach have been surging in Indonesia, with the latest occurring last month when a hacker offered the personal data of 15 million users of Tokopedia, the country's biggest e-commerce platform. The hacker, who also posted the offer on RaidForums, asked for US$5,000.

The situation has raised concerns about the need for a law to protect citizens' privacy. Parliament has put the Personal Data Protection Bill on its priority list for this year, but it has yet to be passed.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on June 22, 2020, with the headline Indonesia probing alleged Covid-19 test data breach. Subscribe