Wednesday, November 6, 2024

BSI’s data breach: A menace to Indonesia’s banking security

Reading Time: 3 minutes
Audina Nur

Journalist

Mahinda Arkyasa

Editor

Interview

A ransomware cybercriminal group Lockbit 3.0 claimed on Saturday (14/5) that they have acquired 1.5 terabytes of data from PT Bank Syariah Indonesia (BSI). This massive breach comprises of sensitive personal information belonging to a staggering 15 million customers and staff members of the bank.

This personal information data includes phone numbers, addresses, names, document information, account numbers, card numbers, and transactions. It also included financial documents, legal paperwork, non-disclosure agreement (NDA) contracts, and passwords for both internal and external bank services.

Following the unsuccessful 72-hour deadline for BSI management to resolve this issue, Lockbit 3.0 is suspected to have distributed this extensive data on dark websites on Tuesday (16/5). 

In a screenshot shared by the Twitter account @darktracer_int, it is apparent that a substantial amount of company management data has been leaked, ranging from regional chief executive officers (RCEO) to corporate secretaries. 

The screenshot also reveals several internal documents such as retail banking data backups and a database of contract requirement documents dated April 19, 2022. 

Furthermore, Lockbit 3.0 made a provocative announcement urging customers to cease using BSI due to their alleged lack of knowledge in safeguarding their money, savings, and personal information from cyber criminal attacks. 

BSI management responds

Despite the attack exposing customers’ data, BSI corporate secretary Gunawan A Hartoyo reassured that data and funds remain secure. 

“We urge customers to remain calm as we ensure the security of their data, funds, and transactions. We will also collaborate with the relevant authorities regarding this data breach issue,” Gunawan said, quoted from Tekno Liputan6.com on Tuesday (16/5).

Previously, BSI president director Hery Gunardi emphasized the need of conducting further audits and digital forensics to confirm the extent of the attack. 

He claimed that BSI has taken preventive measures to enhance security of its information technology, as evidenced by an increased allocation of capital expenditure budget to strengthen the IT system, reaching IDR 580 billion compared to the previous year’s approximately IDR 280 billion. 

Simultaneously, the company is conducting internal investigations and maintaining coordination with relevant parties, including the National Cyber and Crypto Agency (BSSN), Financial Services Authority (OJK), Bank Indonesia (BI), and others.

The BSI ransomware attack is the first hacker action to affect banking services. So far, many hacker groups have penetrated the banking system and other public institutions, but not to the extent of impairing activities.

Cyberattacks on Indonesia finance and banking industry

In Indonesia, almost all public institutions have experienced breaches by hackers. This reveals the vulnerability of cyber security devices in public institutions, especially those that handle people’s personal data. 

According to cybersecurity agency Palo Alto Networks, Indonesia is the third country with the highest number of ransomware attacks in Southeast Asia. In the past 18 months, Indonesia has experienced 14 ransomware attacks, primarily targeting the manufacturing, wholesale, and retail sectors, and professional and legal services. 

Meanwhile, Check Point Software Technologies’ study found that cyberattacks on Indonesia’s finance and banking industry topped the list, with an average of 2,730 attacks per week since January 2022. This figure is 252 percent higher than the global average of 1,083 cyberattacks.

This indicates that hackers find it relatively easier to operate within the country due to its lower level of cybersecurity. As a result, Indonesia becomes a vulnerable target for hackers and cyberattacks. 

Hackers’ actions are confined to trading personal data on the dark web or demonstrating their ability to infiltrate institutions considered strategic. 

For BSI, the ransomware attack this time could have a dual impact. Besides being scrutinised by the public about its security system, BSI’s image will also be damaged as the company is trying to attract new investors from abroad. 

This is part of the government’s scenario to “sell” BSI, the merged output of the Islamic units of three state-owned banks, to investors. After acquiring a new investor, BSI will expand overseas services.

Audina Nur

Journalist

Mahinda Arkyasa

Editor

 

Interview

SUBSCRIBE NOW
We will provide you with an invoice for your reimbursable expenses.

Free

New to Indonesian market? Read our free articles before subscribing to the premium plan. If you already run your business in Indonesia, make sure to subscribe to the premium subscription so you won’t miss any intelligence & business opportunities.

Premium

$550 USD/Year

or

$45 USD/Month

Cancelation: you can cancel your subscription at any time, by sending us an email inquiry@ibp-media.com

Add keywords to your market watch and receive notification:
Schedule a free consultation with us:

We’ll contact you for confirmation.

FURTHER READING

A defense analyst says the Ministry of Defense’s plan to procure two Fast Missile Boats (KCR) from Turkiye as part of the measures taken by President Prabowo Subianto to set an example for domestic defense industry to improve the quality of its products.
The Indonesian Navy and the Russian Navy held a joint exercise in Indonesia on Monday, November 4, 2024, the first held ever such military exercise between both nations.
Minister of State-Owned Enterprises (SOEs), Erick Thohir, has again proposed the merger of several state-owned companies in the food, logistics, infrastructure and construction clusters.
The Ministry of Communication and Digital has temporarily deactivated 11 employees following their detention by police over involvement in illegal online gambling activities. This measure marks the ministry’s first step in reinforcing its commitment to institutional integrity and credibility amid rising digital crime.
An energy expert and senior economist has called for a just and orderly energy transition in Indonesia in light of a recent global study that emphasized the need for countries worldwide to triple their renewable energy capacity by 2023 in order to stay align with climate target.
The Indonesian Commodity Futures Trading Regulatory Agency (Bappebti) has introduced new regulations under Regulation No. 9/2024, allowing institutional investors to enter the crypto market through registered Physical Crypto Asset Traders (PFAK). This policy is viewed as a step toward making Indonesia a key crypto hub in Asia and has received a positive response from industry leaders.