The Ministry of Communication and Digital Affairs (Komdigi) has issued official notifications to all electronic system providers (PSE) of institutions said to have been beached by a hacker and blocked the domain of the site where the stolen data had reportedly been posted.

“Komdigi, in line with its authority, has already notified the PSEs suspected of experiencing this data breach,” Alexander Sabar, Director General of Digital Space Supervision at Komdigi, said on Tuesday, July 29, 2025.

“Further investigations will be conducted to determine whether any violations of personal data protection occurred,” he added.

As data processors, PSEs are required to assess whether a data breach has occurred within their systems and implement corrective actions to mitigate any potential harm to affected individuals. The consequences of such breaches can be both material and immaterial, depending on the nature of the leaked data.

Should a personal data protection failure be confirmed, the law mandates that PSEs notify the affected individuals as part of transparency measures and impact mitigation efforts.

The hacker known as DigitalGhost has allegedly offered for sale sensitive data belonging to several major Indonesian institutions, including the West Java Provincial Administration, the Ministry of Education, Culture, Research, and Technology (Kemendikbud Ristek), the Workers Social Security Agency (BPJS Ketenagakerjaan), fintech company Kreditplus, and the National Police.

Komdigi has also blocked the domain darkforum.st, the site where DigitalGhost reportedly posted the stolen data.

“This morning, the thread from the @ghosthackerwar account − used by DigitalGhost to post leaked citizen data − was no longer found. The account has since been renamed to DigitalGhostt,” Alex cited.

He emphasized that Komdigi continues to take regulatory and supervisory actions to prevent further data protection failures, which include:

1. Drafting regulations to provide a legal framework;

2. Ensuring legal certainty for the public;

3. Conducting proactive and reactive monitoring (e.g., dark web tracking);

4. Investigating data protection violations;

5. Receiving public complaints and offering consultations;

6. Providing technical guidance to PSEs;

7. Promoting digital literacy programs;

Improving human resources through the Digital Talent (Digitalent) program.

Meanwhile, cybersecurity expert Alfons Tanujaya from Vaksincom expressed skepticism about the legitimacy of the leaked data.

“The links provided by the hacker are mostly broken,” he noted, suggesting that much of the information was old and repurposed.

In a surprising turn, DigitalGhost also issued a clarification about the alleged West Java government data, admitting the data was invalid and issuing an apology.

While the incident highlights the ongoing risks in Indonesia’s digital infrastructure, the government's rapid response and continued oversight reflect growing efforts to enforce personal data protection and restore public trust.