Indonesian authorities on Friday summoned state insurer BPJS Kesehatan, which provides universal health coverage, as part of an investigation into an alleged breach of personal data involving millions of people, the communications ministry said.
News this week that a trove of social security data was posted on a hacking forum has caused unease in the country of 270 million people, with some experts saying the breach points to Indonesia's weak cyber security infrastructure.
The ministry said the data were being sold and that the data sample involved 100,002 people, despite the seller claiming to have access to the data of about a million people.
It included information on families and payment status "identical to BPJS Kesehatan's data", spokesman Dedy Permadi said in a statement.
"The communications ministry has summoned the directors of BPJS Kesehatan as the manager of the personal data allegedly leaked," he added.
Dedy said some host sites had removed download links to the data.
A spokesman for BPJS Kesehatan said its technicians were working to uncover the cause of the breach.
Satriyo Wibowo, a cyber security expert and secretary of Indonesia Cyber Security Forum, said the leaks could cause a lot of public worry.
"It's personal data that could have implications sensitive to the owner's security and comfort," he said, adding that the data could be used for fake online loan applications.
"With this breach that largely went undetected, the seriousness of data protection is now questioned."