The Cyber Security Research Institute (CISSReC) has reported yet another significant data breach just before Indonesia’s 79th Independence Day celebration, this time targeting the National Civil Service Agency (BKN).
Pratama Persadha, Chairman of CISSReC and post-graduate study lecturer at the State Intelligence College (STIN), confirmed the breach on Sunday morning in Semarang, Central Java.
According to Pratama, the breach was first revealed in a post by an anonymous hacker known as TopiAx on Breachforums on Saturday, August 10, 2024.
The hacker claimed to have obtained a staggering 4,759,218 rows of data from BKN, containing sensitive information such as names, places and dates of birth, academic titles, dates of civil servant appointments, NIP (Civil Servant Identification Number), CPNS (Candidate Civil Servant) Recruitment Decree (SK) numbers, and PNS (Permanent Civil Servant) SK numbers.
Other data included ranks, job positions, institutions, addresses, identity numbers, phone numbers, email addresses, educational backgrounds, majors, and graduation years.
In addition to this, the stolen data also included both cleartext information and data processed through cryptographic methods.
The hacker reportedly offered the entire dataset for sale at a price of US$10,000 (Rp160 million).
Pratama revealed that the hacker shared a sample containing data on 128 civil servants from various agencies in Aceh.
CISSReC conducted a random verification of 13 names listed in the sample via WhatsApp, and the respondents confirmed that the data was accurate, although some noted minor errors in the final digits of the NIP and NIK fields.
As of Sunday morning, there has been no official response from BKN or other relevant authorities such as the National Cyber and Encryption Agency (BSSN) and the Ministry of Communication and Informatics regarding the suspected data breach.
It’s worth noting that BKN had signed a memorandum of understanding (MoU) with BSSN on October 3, 2022, to strengthen civil servant data protection and enhance the quality of electronic information and transaction security.
However, this MoU was only valid for one year and expired in October 2023. It remains unclear whether BKN has extended the MoU with BSSN.
This incident raises serious concerns about the state of cybersecurity within government institutions, especially in light of the sensitive nature of the compromised data and its potential implications.
