Steps taken to stop further leak of social security data: Indonesia

Hacker claimed to have access to data on population of more than 270 million people

Indonesia's Communication and Information Ministry has confirmed a leak of social security data but insisted that the breach is much smaller in scale than claimed by the hacker.

Last week, a user with the handle Kotz posted on an online forum frequented by hackers samples of data, such as names, citizenship identity numbers, residential addresses and phone numbers of one million Indonesian citizens.

Kotz claimed to have access to data on the entire population of more than 270 million people.

A Communication and Information Ministry spokesman said yesterday it was probing 100,002 samples, far fewer than claimed.

The spokesman, Mr Dedy Permadi, said the data, such as card numbers, family information and payment status, was allegedly "identical" to those held by the Healthcare and Social Security Agency, BPJS Kesehatan, which runs Indonesia's universal healthcare programme.

The authorities have taken steps to prevent further distribution of the stolen data, he said.

"The ministry has taken anticipatory measures to avert the spread of the data further by cutting off access to the links to download the personal data," he said, adding that two out of three website links have been taken down.

BPJS Kesehatan has deployed a special team to track and find the source of the leak.

The agency insisted that it has a "strict and layered data security system" to ensure confidentiality of data.

The leak comes as Indonesia, the world's fourth most populous nation, pushes ahead with a massive Covid-19 vaccination drive for its population. The coronavirus pandemic has left more than 49,000 dead and 1.76 million infected in the country as at yesterday.

The programme depends largely on online registrations.

Cyber security expert Alfons Tanujaya believes the hacking was unlikely to be sophisticated, with the attacker using "basic" methods such as SQL injection, which involves the use of a malicious code.

"Judging from the quantity of the leaked data, the data protection is likely still too weak," Mr Alfons told The Straits Times.

He warned that although the leaked data did not include medical records, the contact details and other personal data could potentially be misused. "The (latest) case is the tip of the iceberg from (Indonesia's) messy data management," Mr Alfons said.

Cases of data breach have been surging in Indonesia, which is home to a huge number of tech-savvy Internet users.

In May last year, a hacker offered on RaidForums the personal data of 15 million users of Tokopedia, Indonesia's biggest e-commerce platform, which recently merged with ride-hailing company Gojek.

The following month, in June, the data of 230,000 people taking Covid-19 tests was sold on the same platform.

Indonesia's Parliament has again put the Personal Data Protection Bill on its priority list for deliberation this year, but it has yet to be debated.

Mr Dedy called for electronic system providers to report instances of hacking to the authorities at the first opportunity.

"They are also obliged to convey to the owners of the personal data, in written statements, about their failure to protect the personal data," he said in the statement.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on May 22, 2021, with the headline Steps taken to stop further leak of social security data: Indonesia. Subscribe