Eisya A. Eloksari, Jakarta – A recent data breach jeopardizing more than 15 million user accounts of Indonesian unicorn Tokopedia has exposed the vulnerability of personal data on digital platforms as Indonesians increasingly turn to e-commerce to meet their needs from home.
The cybersecurity research collective Under the Breach told The Jakarta Post in an e-mail correspondence that large companies such as Tokopedia were at a disadvantage by having a lot of employees with access to the companies' internal systems.
"Hackers often use social engineering tactics to send phishing emails to employees, which in return allows them access to different systems inside the company," the e-mail reads.
Furthermore, big companies usually rely heavily on third party companies' products that integrate with their systems, which means the third parties have access to the company's internal and sensitive systems further exposing it to the risk of hacking.
The collective first reported the massive data leak on its official Twitter page @underthebreach on May 2. It also revealed that data on 91 million Tokopedia users was allegedly being sold online for US$5,000.
The breach comes at a time when e-commerce has become an essential need as people opt for online shopping during the COVID-19 pandemic. New sellers on Tokopedia, particularly in the personal health category, have seen a 250 percent surge, while business research and consultancy firm Inventure Indonesia categorizes e-commerce as one of the few sectors to benefit from social distancing.
Communication & Information System Security Research Center (CISSReC) chairman Pratama Persadha said the incident would cause concern among consumers shopping in online marketplaces, especially those which held payment data such as credit and debit card information.
"It's possible that other e-commerce platforms have been hacked too," he said referring to the 2015 Bukalapak data breach. "It's just that Tokopedia's hackers opted to publicize and sell the data to the public while others might have asked for money directly from the company."
The Hacker-Powered Security Report 2019 published by bug bounty platform HackerOne suggests that data leaks among retail and e-commerce platforms are happening more frequently than is recognized as more than two-thirds of all retailers consider cybercrime their top security issue.
Meanwhile, recent research by security firm Kaspersky shows that identifiable personal information such as name and age are the type of data most often targeted by cybercriminals. Once hit by a cyberattack, 29 percent of the targeted companies said that they had difficulties attracting new customers.
Institute for Policy Research and Advocacy (ELSAM) said Tokopedia as a digital platform and data holder must notify its users, especially those whose data were breached, in accordance with Government Regulation (PP) No. 71/2019.
Communication and Information Ministerial Regulation No. 20/2016 allows for a notification process of up to 14 days, whereas the personal data protection bill would require it to be done within three days.
"Unfortunately, although [the data leak] happened a few days ago, there has still not been any written notification from the platform provider to its consumers as personal data owners," ELSAM wrote in an official press statement.
Indonesia has yet to have its own version of the European Union's General Data Protection Regulation (GDPR) as deliberations have stalled since the government submitted the draft bill to the House of Representatives in January.
Tokopedia held a meeting on Monday with Communications and Information Minister Johnny G. Plate and the National Cyber and Encryption Agency (BSSN), after which the minister said financial and user data were "safe".
"Tokopedia has explained that user accounts and financial data are safe. It was conveyed [during the meeting that Tokopedia's] security system cannot be breached, although data relating to names, emails and telephone numbers may have partly been accessed by hackers," Johnny said after the meeting. "Tokopedia is conducting an in-depth evaluation."
Tokopedia spokesperson Nuraini Razak stressed that users should change their passwords periodically to prevent further data breaches and phishing.
Indonesia E-Commerce Association (idEA) chairman Ignatius Untung said that people should not be worried about using e-commerce sites as each platform would try to improve security regardless of whether a data breach has happened.
He went on to say that every platform that has experienced data leakage must be regarded as a victim rather than the perpetrator as he believed no e-commerce platform would intentionally create a faulty security system so that data could be leaked.
"It is unfortunate that the platform is often considered as the only party responsible in cases of a data breach," he said. "While the hackers are often spared from scrutiny, even though they are the culprits."
The term "hacker" often has negative connotations associated with criminality. However, there has been a growing trend of good bug bounty hackers whose job it is to detect companies' privacy gaps and report them to be fixed.
"Bug bounties are getting more popular in the cybersecurity industry and they go hand-in-hand with penetration testing as a form of defense-in-depth solution," said Singapore-based HackerOne hacker Samuel Eng.
According to HackOne data, in the past year, the retail and e-commerce industry saw a 23 percent growth in hacker-powered security programs but it still only accounted for 4 percent of all hacker-powered security programs.