Nur Janti, Jakarta – The government is back in the spotlight for failing to protect citizens' data following an alleged breach of COVID-19 tracking app PeduliLindungi – the second apparent hack of a state database since a national privacy law was enacted in October.
Last week, the pseudonymous hacker Bjorka, who previously claimed to have obtained and leaked the personal data of President Joko "Jokowi" Widodo and his ministers, offered 3.2 billion data entries allegedly belonging to users of the PeduliLindungi app for sale on the hacking site Breach Forums for US$100,000 in bitcoin. The data included users' contact details, ID card details, travel history, vaccination status and COVID-19 test results.
The government uses the effectively mandatory PeduliLindungi for COVID-19 contact tracing and vaccination verification.
Officials from the Cyber and Crypto Agency (BSSN); the Communications and Information Ministry and state-owned telecommunications firm Telkom, which created the app; and the Health Ministry, which manages the app's data, say they are still investigating the alleged breach and verifying the authenticity of the stolen data.
"We have coordinated and started data validation and investigation to verify the alleged data leak of PeduliLindungi," BSSN spokesperson Ariandi Putra told The Jakarta Post on Friday.
Health Minister Budi Gunadi Sadikin has denied that the data came from the PeduliLindungi database, which is managed by his office, kompas.com reported.
The incident comes less than a week after Bjorka put 44 million personal data entries apparently belonging to users of fuel payment app MyPertamina up for sale on the same hacking forum. The claimed leak is under investigation by state-owned oil and gas giant Pertamina.
The Personal Data Protection Law, enacted in October following a string of digital attacks on state and private institutions, grants citizens more control over their personal information online and seeks to spur cybersecurity improvements. It requires data controllers and processors to ensure the rights of "data subjects" and the security of their data, including by setting up firewalls and encryption systems.
But the law gives data handlers two years to build their security systems, and the data protection oversight agency that it calls for to administer sanctions and fines has not been established.
"The transition period has become a critical time for ensuring the compliance of data controllers. To date, with the absence of the oversight agency, it remains unclear which institution is responsible for this role," Institute for Policy Research and Advocacy (Elsam) executive director Wahyudi Djafar said.
Despite the two-year grace period to build better systems, Wahyudi said the Health Ministry, as PeduliLindungi's data controller, should have at least notified data subjects of a possible breach and informed them about how to mitigate it within 72 hours of discovering the issue – as the privacy law demands.
As of Monday evening, such a notification was nowhere to be found.
Pratama Persadha of the Communications and Information System Security Research Center (CISSReC) was unconvinced by the Health Minister's denial of the breach, as the data being sold by Bjorka appeared identical to the contents of the PeduliLindungi database, based on a comparison of samples. He urged the ministry to run digital forensic analysis to verify the leak.
House of Representatives Commission I overseeing intelligence and information is planning to discuss the alleged PeduliLindungi data leak with the communications minister on Wednesday, according to lawmaker Muhammad Farhan of the NasDem Party.Shortly after the enactment of the privacy law, Commission I formed a data security working committee to keep tabs on how the government was implementing the new law and building stronger cybersecurity systems.