Cyber security in Indonesia has been in question because lately there have been four issues related to data leakage that cause public anxiety.
First, there was a data leakage on August 20, 2022, of 17 million customers of state electricity company PT PLN. The data contained customers’ ID number, names and addresses as well as the electricity usage bill. The seller also provides 10 data samples from the 17 million PLN customer data that he sold to convince potential buyers.
Second, information related to the alleged leak of customers data from internet provider Indihome. Twitter username @secgron uploaded the data on its thread on August 21, 2022. Ahmad Reza, Senior Vice President (SVP) of Corporate Communication and Investor Relations of Indihome – a subsidiary of state telecommunication firm PT Telkom – immediately dismissed the issue, saying it was a hoax and invalid.
Third, the leak of SIM Card registration data allegedly coming from the Ministry of Communication and Information Technology. Around 1.3 billion customers data – including the ID number, telephone number and names, provider’s names and date of registration – have been leaked. The 87 GB SIM card data is sold at US$ 50,000 or around IDR 743 million.
Fourth, 105 million population data of Indonesian citizens were allegedly leaked and sold online on the “Breached Forums”. The data was sold by a forum member with “Bjorka” username in a post on the Breached Forums website, entitled “INDONESIA CITIZENSHIP DATABASE FROM KPU 105M” (Indonesian population database of the KPU (General Elections Commission) 105 million). Bjorka is the same account that leaked and sold 1.3 billion IndiHome customers’ data.
The data is also suspected to have been traded on one of the hacker sites. The Bjorka account claimed to have shared 2 million sample data that had been collected from 2017 to 2020. Telkomsel, Indosat, Tri, XL and Smartfren are the names of telecommunication operators revealed by Bjorka.
The post about the data claimed to be from the KPU was uploaded shortly after Bjorka uploaded a reply message to Kominfo, “Stop Being an Idiot”, after being asked, “don’t attack”.
Urgency of deliberating Protection of Personal Data (PDP) bill
The House of Representatives’ Commission I overseeing defense, foreign affairs, informatics and intelligence and the government agreed to bring the Personal Data Protection Bill to a plenary meeting. Lawmakers will deliberate the bill into law on September 7, 2022.
“The PDP bill has gone through six session extensions, working committee meetings, as well as drafting team meetings and synchronization teams. Lawmakers have completed the discussion of a total of 371 problem inventory lists (DIM) of the PDP bill and agreed on 16 chapters and 76 articles in the bill,” said communication minister Johnny G. Plate.
Public and private companies who own and store a person’s personal data must protect the confidentiality of the data as ruled by Law No. 14/2008 on the Openness of Public Information and Law No. 24/2013 on the amendments to Law No. 23/2006 on Population Administration. Meanwhile, the Public Information Commission (KIP) is pushing for the PDP bill to be deliberated immediately.
According to law and politics, the misuse of personal data is a criminal act, fulfilling the elements of theft, fraud and other criminal acts both in terms of objective and subjective elements. Thus, there must be administrative, civil and criminal sanctions to the perpetrators.
The PDP bill is sovereign regarding personal data, which has value to its users. The government’s role in protecting personal data is not only as a facilitator and regulator but also as a user.
Several legal rules related to Personal Data Protection include: Article 1 clause 1 and 2 of the Regulation of the Minister of Communication and Information Technology No. 20/2016 on the Protection of Personal Data in Electronic Systems; Article 1 clause 27 of Government Regulation No. 82/2012 on the Operation of Electronic Systems and Transactions that defines Personal Data as certain individual data that is stored and kept true and kept confidential; Legal Protection of Customers’ Personal Data in the Implementation of Internet Banking Services is linked to Law No. 10/1998 on the amendments to Law No. 7/1992 on Banking.
Article 26 of the ITE (Information and Electronic Transactions) Law states that the use of personal data through electronic media must be based on the consent of the person concerned, and losses arising from misuse of personal data can take non-litigation routes through deliberation, take litigation either through lawsuits in court as an effort to apply for compensation. From the provisions of Article 26 Paragraph 2 of the ITE Law as mentioned above, criminal provisions have not emerged or have not been regulated, therefore reformulation of the norms is needed by adding criminal sanctions, this is in order to create a deterrent effect even though the criminal sanctions are a last resort.
Disrupting development of digital space
It is underlined that the community is the most disadvantaged party when there is a data leak. Because personal data is attached to the community. Moreover, people provide the data because they use a service.
In accordance with Law No. 11/2008 on ITE, the data controllers, namely cellular operators, must maintain the confidentiality of users’ data.
The PDP bill needs to be ratified immediately so there should not be any legal vacuum against theft or leakage of personal data, especially the trends, methods and techniques of cyber attacks in stealing personal data, companies, and data related to state security.
Last but not least, if data leakage continues in Indonesia, it will disrupt the country’s efforts to build a digital space, narrow its competitiveness, and make investors nervous about the possibility of leaking business deal data and others.
