Andra Nasrie – Bank Syariah Indonesia (BSI), the largest Islamic bank in Indonesia, was reportedly hit by a ransomware attack that disrupted its services for several days. The hacker group LockBit claimed responsibility for the attack and reportedly released a massive trove of customer data today after the bank refused to pay their ransom of US$20 million.
On May 8, customers of the state-owned lender reported outages to the bank's mobile banking and ATM services, causing inconvenience and panic. Services were gradually restored by May 11, the bank said, while playing down suggestions that it was hit by a serious cyber attack.
As detailed in posts by the dark web threat intelligence platform Darktracer, on May 12, LockBit posted a message on the bank's website saying that they had accessed and paralyzed the bank's system. They also claimed to have stolen 1.5 terabytes of data, comprising the personal information of 15 million BSI customers and employees, including card numbers, account information, transactions, and more.
The hacker group gave BSI 72 hours to "settle the matter." In another post, depicting a chat log between LockBit and BSI, the former demanded US$20 million to keep the stolen data from being published.
Meanwhile, the bank assured its customers that their data was safe and that it would not pay the ransom.
According to Darktracer, LockBit made the stolen BSI data public on the dark web today, along with a message of condemnation addressed to BSI's customers posted on the bank's own official website.
"Most importantly, stop using BSI. These people do not know how to protect your money and personal information from criminals. The best these little crooks can do is lie to their clients' faces, delete comments on Twitter and grow a belly," the message reads.
LockBit also encouraged BSI customers who find their private information among the leaked data to file a class action lawsuit against the bank for violating data privacy laws.
In a statement published today, BSI corporate secretary Gunawan A. Hartoyo gave a somewhat vague reassurance that customers' data is safe.
"We hope that customers remain calm because we can confirm that customers' data and funds are safe, and that it is safe to carry out transactions. We are also working with the authorities in relation to the data breach issue," he said yesterday in a press release.
There have not yet been any independent reports verifying the existence and authenticity of the BSI information supposedly released on the dark web.
The attack raises questions about BSI's preparedness and vulnerability to cyber threats, as well as highlighting the need for better cyber security awareness and regulations in Indonesia's banking sector.
In September, Indonesia finally passed the Personal Data Protection Law after the bill languished in parliament after its introduction in 2016. The ratification of the law took on renewed urgency after a hacker, who goes by the handle Bjorka, repeatedly exposed the country's cyber security shortcomings while embarrassing top government officials.
Among Bjorka's biggest scores was the registration data of 1.3 billion Indonesian SIM cards containing citizens' KTP (ID cards) and KK (Family Cards) details, which he listed for sale on a hacker marketplace.
LockBit is a type of ransomware called a 'crypto virus' as it is known to target and encrypt valuable financial data and demand payment for decryption. There have been several other recent reports of LockBit attacks on major organizations around the world including ION Trading UK, Venezuala's largest bank.
The ransomware has even hit hospitals, although the hacker group reportedly apologized after their software infected a children's hospital's system and gave them the decryption key for free.
Ransomware attacks have been around for many years but they've increased enormously in recent years due to the rise in cryptocurrency, which makes it possible for hackers to receive ransom payments without fear of being traced.