Nabila Azzahra, Najla (Translator), Jakarta – Cybersecurity expert Teguh Aprianto revealed that 34 million of Indonesia's passport data has been leaked and sold. Hackers often easily cracked the cyberdefense of Indonesia's government agencies, as proved by the data breaches in Pedulilindungi and MyPertamina applications.
Responding to the data leak allegation, cybersecurity expert Alfons Tanujaya argued that data leak keeps happening since Indonesia's public officials have lower cyber awareness than private bodies. He assessed that private bodies are more swift in evaluating data breaches.
"The awareness toward data security is substandard. Rather than seeing it as a responsibility, the government sees this as an opportunity to exploit and take advantage of," said Alfons to Tempo on Wednesday, July 5, 2023. "So, the public bears the brunt of it."
According to Alfonso, there is already an international standard, ISO 27001 and 27701, as the framework and guideline for personal data protection. He added that conforming to the standard will actually make the data breach source identification easier.
Meanwhile, Teguh Aprianto revealed that the leak consisted of passport numbers, expiration dates, dates of birth, gender, and passport issuance dates and are sold for up to US$10,000. "The hackers also provided 1 million data samples which appear to be valid. The timestamp is from the 2009-2020 period," Teguh said.
Disparity of data
Regarding the alleged passport data leaks, the Ministry of Communication and Informatics has already conducted an investigation. The ministry's Director General of Public Information and Communication (Dirjen IKP) Usman Kansong stated that the ministry has coordinated with the State Cyber and Signal Agency (BSSN) and the Director General of Immigration of the Ministry of Law and Human Rights. "There is a structural difference between the widely spread data and the data in National Data Center," Usman said to Antara.
Responding to Usman's statement, Alfonso Tanujaya pointed out that the breached data obviously came from the Directorate General of Immigration since it contained the National Identity Citizen Identity Card (NIKIM), a digital identity for future securement of electronic passport only owned by the Immigration agency. "NIKIM will contain personal data such as name, address, and identity number. The chip will be implanted in the passport and read by a special NIKIM reader," said Alfons.
The cyber and financial specialist from PT Vaksincom also said that NIKIM will not be able to defend against data breaches, and instead be useful for fake passport identification. Therefore, Alfons added, the responsibility falls on the government's hands.
Regarding the ministry's claim for the disparity between the data, Alfons believed that it did not deny the fact that there was indeed a data breach. He added that there were invalid data as checked by Vaksincom, however, "Once it is in the internet, it is there forever. We need to remember that," Alfons said.
He also urged the immigration agency to continue the investigation. If the method for data management is substandard and unsatisfactory, immediate improvement is needed.