Tuesday, May 28, 2024

BSI’s data breach: A menace to Indonesia’s banking security

Reading Time: 3 minutes
Audina Nur


Mahinda Arkyasa



A ransomware cybercriminal group Lockbit 3.0 claimed on Saturday (14/5) that they have acquired 1.5 terabytes of data from PT Bank Syariah Indonesia (BSI). This massive breach comprises of sensitive personal information belonging to a staggering 15 million customers and staff members of the bank.

This personal information data includes phone numbers, addresses, names, document information, account numbers, card numbers, and transactions. It also included financial documents, legal paperwork, non-disclosure agreement (NDA) contracts, and passwords for both internal and external bank services.

Following the unsuccessful 72-hour deadline for BSI management to resolve this issue, Lockbit 3.0 is suspected to have distributed this extensive data on dark websites on Tuesday (16/5). 

In a screenshot shared by the Twitter account @darktracer_int, it is apparent that a substantial amount of company management data has been leaked, ranging from regional chief executive officers (RCEO) to corporate secretaries. 

The screenshot also reveals several internal documents such as retail banking data backups and a database of contract requirement documents dated April 19, 2022. 

Furthermore, Lockbit 3.0 made a provocative announcement urging customers to cease using BSI due to their alleged lack of knowledge in safeguarding their money, savings, and personal information from cyber criminal attacks. 

BSI management responds

Despite the attack exposing customers’ data, BSI corporate secretary Gunawan A Hartoyo reassured that data and funds remain secure. 

“We urge customers to remain calm as we ensure the security of their data, funds, and transactions. We will also collaborate with the relevant authorities regarding this data breach issue,” Gunawan said, quoted from Tekno Liputan6.com on Tuesday (16/5).

Previously, BSI president director Hery Gunardi emphasized the need of conducting further audits and digital forensics to confirm the extent of the attack. 

He claimed that BSI has taken preventive measures to enhance security of its information technology, as evidenced by an increased allocation of capital expenditure budget to strengthen the IT system, reaching IDR 580 billion compared to the previous year’s approximately IDR 280 billion. 

Simultaneously, the company is conducting internal investigations and maintaining coordination with relevant parties, including the National Cyber and Crypto Agency (BSSN), Financial Services Authority (OJK), Bank Indonesia (BI), and others.

The BSI ransomware attack is the first hacker action to affect banking services. So far, many hacker groups have penetrated the banking system and other public institutions, but not to the extent of impairing activities.

Cyberattacks on Indonesia finance and banking industry

In Indonesia, almost all public institutions have experienced breaches by hackers. This reveals the vulnerability of cyber security devices in public institutions, especially those that handle people’s personal data. 

According to cybersecurity agency Palo Alto Networks, Indonesia is the third country with the highest number of ransomware attacks in Southeast Asia. In the past 18 months, Indonesia has experienced 14 ransomware attacks, primarily targeting the manufacturing, wholesale, and retail sectors, and professional and legal services. 

Meanwhile, Check Point Software Technologies’ study found that cyberattacks on Indonesia’s finance and banking industry topped the list, with an average of 2,730 attacks per week since January 2022. This figure is 252 percent higher than the global average of 1,083 cyberattacks.

This indicates that hackers find it relatively easier to operate within the country due to its lower level of cybersecurity. As a result, Indonesia becomes a vulnerable target for hackers and cyberattacks. 

Hackers’ actions are confined to trading personal data on the dark web or demonstrating their ability to infiltrate institutions considered strategic. 

For BSI, the ransomware attack this time could have a dual impact. Besides being scrutinised by the public about its security system, BSI’s image will also be damaged as the company is trying to attract new investors from abroad. 

This is part of the government’s scenario to “sell” BSI, the merged output of the Islamic units of three state-owned banks, to investors. After acquiring a new investor, BSI will expand overseas services.

Audina Nur


Mahinda Arkyasa




We will provide you with an invoice for your reimbursable expenses.


New to Indonesian market? Read our free articles before subscribing to the premium plan. If you already run your business in Indonesia, make sure to subscribe to the premium subscription so you won’t miss any intelligence & business opportunities.


$550 USD/Year


$45 USD/Month

Cancelation: you can cancel your subscription at any time, by sending us an email inquiry@ibp-media.com

Add keywords to your market watch and receive notification:
Schedule a free consultation with us:

We’ll contact you for confirmation.


PT Barito Renewables Energy (BREN) has been included in the FTSE Global Equity Index, a large cap category, which will take effect on Monday, June 24, 2024
The Corruption Eradication Commission (KPK) has named a number of suspects in its investigation into the alleged corruption within the Directorate General of Railways (DJKA), the Ministry of Transportation.
Jakarta, May 27, 2024 − PT Perusahaan Gas Negara (PGN), a gas subholding of State energy company PT Pertamina, has paid off the remaining bonds worth US$396,709,000 in accordance to the maturity date as part of the repayment of the overall bond value of US$1.35 billion issued in 2014 and listed on the Singapore Exchange.
JAKARTA – The International Labour Organization (ILO), along with three trade unions on garment, on Sunday, May 26, 2024, launched a grievance application for the Indonesian garment workers.
JAKARTA – President Joko “Jokowi” Widodo launched Government Technology (GovTech) digital application called ‘INA Digital’ in Jakarta on Monday, May 27, 2024.
Jakarta, May 27, 2024 − The Business Competition Supervisory Commission (KPPU) has found indications of violation of Law No. 5/1999 on prohibition of monopolistic practices by Lazada Indonesia (PT Ecart Webportal Indonesia).