A ransomware cybercriminal group Lockbit 3.0 claimed on Saturday (14/5) that they have acquired 1.5 terabytes of data from PT Bank Syariah Indonesia (BSI). This massive breach comprises of sensitive personal information belonging to a staggering 15 million customers and staff members of the bank.
This personal information data includes phone numbers, addresses, names, document information, account numbers, card numbers, and transactions. It also included financial documents, legal paperwork, non-disclosure agreement (NDA) contracts, and passwords for both internal and external bank services.
Following the unsuccessful 72-hour deadline for BSI management to resolve this issue, Lockbit 3.0 is suspected to have distributed this extensive data on dark websites on Tuesday (16/5).
In a screenshot shared by the Twitter account @darktracer_int, it is apparent that a substantial amount of company management data has been leaked, ranging from regional chief executive officers (RCEO) to corporate secretaries.
The screenshot also reveals several internal documents such as retail banking data backups and a database of contract requirement documents dated April 19, 2022.
Furthermore, Lockbit 3.0 made a provocative announcement urging customers to cease using BSI due to their alleged lack of knowledge in safeguarding their money, savings, and personal information from cyber criminal attacks.
BSI management responds
Despite the attack exposing customers’ data, BSI corporate secretary Gunawan A Hartoyo reassured that data and funds remain secure.
“We urge customers to remain calm as we ensure the security of their data, funds, and transactions. We will also collaborate with the relevant authorities regarding this data breach issue,” Gunawan said, quoted from Tekno Liputan6.com on Tuesday (16/5).
Previously, BSI president director Hery Gunardi emphasized the need of conducting further audits and digital forensics to confirm the extent of the attack.
He claimed that BSI has taken preventive measures to enhance security of its information technology, as evidenced by an increased allocation of capital expenditure budget to strengthen the IT system, reaching IDR 580 billion compared to the previous year’s approximately IDR 280 billion.
Simultaneously, the company is conducting internal investigations and maintaining coordination with relevant parties, including the National Cyber and Crypto Agency (BSSN), Financial Services Authority (OJK), Bank Indonesia (BI), and others.
The BSI ransomware attack is the first hacker action to affect banking services. So far, many hacker groups have penetrated the banking system and other public institutions, but not to the extent of impairing activities.
Cyberattacks on Indonesia finance and banking industry
In Indonesia, almost all public institutions have experienced breaches by hackers. This reveals the vulnerability of cyber security devices in public institutions, especially those that handle people’s personal data.
According to cybersecurity agency Palo Alto Networks, Indonesia is the third country with the highest number of ransomware attacks in Southeast Asia. In the past 18 months, Indonesia has experienced 14 ransomware attacks, primarily targeting the manufacturing, wholesale, and retail sectors, and professional and legal services.
Meanwhile, Check Point Software Technologies’ study found that cyberattacks on Indonesia’s finance and banking industry topped the list, with an average of 2,730 attacks per week since January 2022. This figure is 252 percent higher than the global average of 1,083 cyberattacks.
This indicates that hackers find it relatively easier to operate within the country due to its lower level of cybersecurity. As a result, Indonesia becomes a vulnerable target for hackers and cyberattacks.
Hackers’ actions are confined to trading personal data on the dark web or demonstrating their ability to infiltrate institutions considered strategic.
For BSI, the ransomware attack this time could have a dual impact. Besides being scrutinised by the public about its security system, BSI’s image will also be damaged as the company is trying to attract new investors from abroad.
This is part of the government’s scenario to “sell” BSI, the merged output of the Islamic units of three state-owned banks, to investors. After acquiring a new investor, BSI will expand overseas services.