Indonesian govt says social security data breach much smaller than claimed

A hacker claimed he had access to data on Indonesia's entire population of more than 270 million people.
A hacker claimed he had access to data on Indonesia's entire population of more than 270 million people.PHOTO: AFP

JAKARTA - Indonesia's Communication and Information Ministry has confirmed a leak of social security data but insisted that the breach is much smaller in scale than claimed by the hacker.

Last week, a user with the handle Kotz posted on an online forum frequented by hackers samples of data, such as names, citizenship identity numbers, residential addresses and phone numbers of one million Indonesian citizens.

Kotz claimed it had access to data on the entire population of more than 270 million people.

In a statement on Friday (May 21), a spokesman for the the Communication and Information Ministry said that it was probing 100,002 samples, far fewer than claimed.

The spokesman, Mr Dedy Permadi, also said the data, such as card numbers, family information and payment status, was allegedly "identical" to those held by the Healthcare and Social Security Agency, BPJS Kesehatan, which runs Indonesia's universal healthcare programme.

The authorities have taken steps to prevent further distribution of the stolen data, said the spokesman.

"The Communication and Information Ministry has taken anticipatory measures to avert the spread of the data further by cutting off access to the links to download the personal data," he said, adding that two out of three website links have been taken down.

BPJS Kesehatan has deployed a special team to track and find the source of the leak.

The agency insisted that it has a "strict and layered data security system" to ensure confidentiality of data.

The leak comes as Indonesia, the world's fourth-most populous nation, pushes ahead with a massive Covid-19 vaccination drive for its population. The pandemic has left more than 49,000 dead and 1.76 million infected in the country as of Friday.

The programme depends largely on online registrations.

Cyber security expert Alfons Tanujaya believes the hacking was unlikely to be sophisticated, with the attacker using "basic" methods such as SQL injection, which involves the use of a malicious code.

"Judging from the quantity of the leaked data, the data protection is likely still too weak," Mr Alfons told The Straits Times.

He warned that although the leaked data did not include medical records, the contact details and other personal data could potentially be misused, such as to produce fake ID cards, set up bank accounts and apply for loans.

"The (latest) case is the tip of the iceberg from (Indonesia's) messy data management," Mr Alfons said.

Cases of data breach have been surging in Indonesia, home to a huge number of tech-savvy Internet users.

In May last year, a hacker offered on RaidForums the personal data of 15 million users of Tokopedia, Indonesia's biggest e-commerce platform, which recently merged with ride-hailing company Gojek.

In June last year, the data of 230,000 people taking Covid-19 tests was sold on the same platform.

Indonesia's Parliament has again put the Personal Data Protection Bill on its priority list for deliberation this year, but it has yet to be debated.

Mr Dedy called for electronic system providers to report instances of hacking to the authorities at the first opportunity.

"Apart from that, the electronic system providers are also obliged to convey to the owners of the personal data in written statements about their failure to protect the personal data," he said in the statement.