Cybersecurity experts have warned of the growing risk of brokerage app hacks that could lead to massive customer losses. 

Alfons Tanuwijaya of Vaksincom said breaches are not difficult once user credentials are stolen, often due to weak passwords, phishing, or failure to activate two-factor authentication (2FA).

“Anyone with a username and password will be treated as the account owner. That’s the rule in the digital world, which makes account security the responsibility of the asset holder,” Alfons told Katadata.co.id on Monday, September 22, 2025.

One investor, Annalia Setiawan, said she lost nearly all of her Rp180 million (US$11,000) investment in just two hours through 600 automated trades. Her large-cap banking stocks were sold off and shifted into small-cap shares and warrants, cutting her portfolio by 90 percent.

Alfons suggested the incident may have involved a breach on the brokerage’s API server, allowing hackers to alter registered recipient accounts. “That points to a system flaw, not user negligence,” he said.

Heru Sutadi, Executive Director of the Information and Communication Technology (ICT) Institute, said such attacks are highly plausible. Hackers often use phishing emails, malware, or exploit weak APIs to trigger mass automated transactions.

“This shows Indonesia’s financial systems remain vulnerable. Even a major brokerage like NH Korindo was hacked in July 2025, with losses reaching Rp200 billion,” he noted.

Both experts stressed preventive measures: activating 2FA or biometric logins, using strong and regularly updated passwords, keeping apps and operating systems updated, and avoiding public Wi-Fi or suspicious links. They also advised monitoring daily transactions and reporting irregularities immediately.

The warnings follow a suspected breach at PT Panca Global Sekuritas (PGS), a subsidiary of investment company PT Panca Global Kapital (PEGE). On September 9, 2025 the firm reported suspicious transactions in customer accounts (RDN) with estimated losses of Rp70 billion. The company said it refunded affected accounts by September 10, 2025 and suspended the compromised system, temporarily limiting clients’ access to online trading.