Will this Curtail the Damage?
Indonesia is one of the primary targets for cybercriminals and has been the victim of a series of high-profile data breaches in the past months. Reports suggest that Indonesia has suffered over 11 million cyber-attacks in the first quarter of 2022, a 22% increase from last year.
The country has become one of Southeast Asia’s highest-targeted nations for ransomware attacks. In response to the resulting damage to high-profile institutions and firms from data breaches and leaks, the Indonesian government has implemented the Personal Data Protection (PDP) Law. The bill has been deliberated since 2019 and has recently been passed.
Cyble Research and Intelligence Labs (CRIL) observed a peculiar increase in cybercrime activity targeting Indonesia in cybercrime forums. The Q3-2022 cybercrime statistics of the country reflect an alarming surge in September 2022 – a 40% uptick in data leaks compared to August.
Our research attributes this uptick in data breaches in Indonesia to several factors enumerated in subsequent sections of this blog.
Sectoral & Economic Impact
CRIL analyzed the impact of these cybercrime incidents on various Indonesian industry groups. As indicated below – it is alarming that over 37% of the total data breaches and leaks are from several government-related entities in Indonesia.
Indonesian Data on Cybercrime Forums
CRIL discovered a spate of following data leaks on various cybercrime forums:
IndiHome (owned by Telkom Indonesia)
In August 2022, Indihome, a home telephone, internet, and television service, suffered a data breach. The incident exposed 26 million Indonesian users’ records, full names, email addresses (mostly @telkom.net), genders, national ID numbers, IP addresses, and websites visited.
KEMENKUMHAM (Ministry of Law and Human Rights database of the Republic of Indonesia)
The Ministry of Law and Human Rights database of the Republic of Indonesia (kemenkumham.go.id) was offered for sale in August. The database allegedly included over 85k employee records consisting of registration number, full name, email address, phone number, address, and 800Mb+ other private data.
KOMINFO (Indonesian Ministry of Communication and Information)
In late August, 1.3 billion records related to SIM card registration belonging to the Indonesian Ministry of Communication and Information Technology (KOMINFO) were put up for sale on a popular cybercrime forum.
The TA posted a sample of 2 million records, which contained phone numbers, NIKs (Nomor Induk Kependudukan/National ID number), telecom providers, and registration dates.
Alleged Indonesia Citizenship Database from KPU servers (Indonesia’s General Elections Commission)
Approximately 105 million records of Indonesian citizens were offered on sale in September. The threat actor claimed to have breached the KPU server in September 2022 and gained access to approximately 105 million records. The compromised data contained NIK (National ID CARD Number), KK (Family Card Number), full name, birthplace, DoB, gender, and age.
Confidential letters between BIN (Indonesia’s State Intelligence Agency) and the President of the Republic of Indonesia leaked
In early September, a threat actor leaked 180 MB of data, comprising secret communication (letters) between Indonesia’s Badan Intelijen Negara (BNI) (The State Intelligence Agency) and the President of the Republic of Indonesia, Mr. Joko Widodo. It consisted of 679,180 records with the following – Title of the letter, letter number, suggestion, sender, receiver employee ID, and letter date.
Tri Indonesia (PT Hutchison 3 Indonesia)
In September 2022, the alleged database of Indonesia-based telecommunication services provider Tri Indonesia was leaked. The compromised database had 408,128 records containing SIM card purchases, client name, shipping and billing addresses, email, payment method, and total purchase amounts.
Boga group (PT Boga Inti)
A known threat actor claimed to compromise an Indonesian restaurant chain, PT Boga Inti. (boga.id) and allegedly exfiltrated 31 GB of data incorporating customer records, employee data, and financial information. The customers’ data was on sale, consisting of names, phone numbers, and email addresses.
Snafues & Slips
During the past few months, we observed multiple security gaps exploited by threat actors to gain access to various sensitive databases from public and private organizations in Indonesia:
- SQL Injection – One of the common methods used by threat actors is to inject malicious SQL code to target data-driven web applications
- Directory Listing – The threat attackers also leverage google dorks to identity sites with exposed directories, which may lead to access to source code or provide useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data
- Security Misconfiguration – Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services
- Supply chain attacks – Attackers identify and compromise an unsecure supplier in a supply chain (hardware/software) to gain access to their more significant trading partners
- Unpatched Vulnerabilities – In many instances, the targeted organizations used outdated software versions. Attackers exploited these to compromise and control the vulnerable systems
Personal Data Protection (PDP) Law
On September 20, 2022, Indonesia’s House of Representatives approved the Personal Data Protection (PDP) Bill, that has been in discussions since 2019.
The Law encompasses all persons, foreign and domestic organization, both public and private, that processes the personal data of Indonesian citizens and other activities specified under the PDP Law. The law goes ahead to explain the nuances and its applicability in detail:
- The law defines Personal Data as any data concerning a person, whether identified or who may be identified independently or combined with other information, either directly or indirectly, through an electronic or non-electronic system law
- It further classifies personal data into two categories, general personal data, and personal data of specific nature
- The law further elaborates on two important taxonomies – Data Handlers and Data Controllers
- The bill also specifies required documents or circumstances for the transmission of data outside Indonesia, such as pre-obtained approval of the personal data owner and bilateral international agreements
- Any person who intentionally and unlawfully obtains or collects Personal Data that is not his own to benefit himself or another person, which may result in the loss of the Personal Data Subject shall be punished with imprisonment for a maximum of five years or a maximum fine of USD0.3 million
- Any person who intentionally and unlawfully discloses Personal Data that does not belong to him shall be sentenced to a maximum imprisonment of four years and a maximum fine of USD0.25 million
- Any person who intentionally creates false Personal Data or falsifies Personal Data with the intention of benefiting himself or another person which can cause harm to others shall be punished with imprisonment for a maximum of six years and/or a maximum fine of USD0.38 million
- In the event of a breach, affected organizations need to notify affected parties within 72 hours. They may face sanctions in the form of written warnings, temporary suspensions, and fines of up to 2% of annual income or revenues.
- Assets of the company leaking personal data could also be seized or auctioned off to cover fine amounts
- Entities affected due to data leaks are entitled to seek compensation for data loss and withdraw consent to use of their data. The entities attributed to the origination of data leaks are also given a time frame of 24 hours to update and correct errors in stored data after receiving the request to do so
- A regulatory body will be formed by the government, which will be responsible for ensuring compliance with the Personal Data Protection principle and mitigating the risk of personal Data Protection breach
- The enforcement directive of the PDP Law states the effectuation of this law for all entities would not be earlier than two years, i.e., 2024
After the ratification of the law, CRIL observed an influx in Indonesian-speaking members joining the underground forums – some leaking more data, some just posting retaliatory posts against the law, and some launched a campaign to oppose the bill claiming to be botched government reforms not aligned to safeguarding the Indonesian citizen interests. These activities were also instigated by various Hacktivist factions on social media.
Indonesia thus far may have suffered the largest data breaches after Cost Rica in 2022. The Indonesian citizens will have to bear a heavy price in times to come for the loss of their sensitive data, which is quite regretful. With the enactment of the PDP Law, the government has chartered Indonesian citizens’ fundamental rights toward privacy by protecting their data. However, the enforcement of the law in its true letter and spirit and containing the existing damage to prevent future cybercrimes against citizens and businesses is an arduous journey but seems achievable.