Hendrik Yaputra, Jakarta – Indonesia's temporary National Data Center (PDN), managed by the Ministry of Communication and Informatics (Kominfo) and Telkom Sigma, was compromised by a ransomware attack on June 20, 2024.
Executive Director of the Institute for Community Studies and Advocacy (ELSAM), Wahyudi Djafar, said this showcases the government's suspected failure to protect the personal data of Indonesian citizens. He urged Kominfo to notify the public about the issue.
"The notification must at least include information about the type of personal data leaked," said Wahyudi in a release received on Tuesday, June 25, 2024.
The government must also detail when and how the personal data was leaked and what actions are taken to recover the situation. The notification mechanism is contained in Law No. 27 of 2022 concerning Personal Data Protection.
The temporary PDN processed citizens' personal data obtained from the ministries or other governmental agencies that stored its data in the data center.
ELSAM lamented this incident, emphasizing the role of the government in personal data protection. According to the agency, PDN operation must be standardized to ensure the system's reliability.
"Additionally, (the government) must conduct regular security monitoring and audits to anticipate any threats and risks. Now, the question is whether (the government) has carried out these actions," said Wahyudi.
Since the unfortunate has happened, BSSN must complete the investigation process to find the root cause of the incident. BSSN is also obliged to give reports to the general public and conduct a recovery process for the system and data stored on the temporary PDN infrastructure.
"Recovery is important because ransomware attacks can result in further attacks on availability of data, or loss of data managed in the system," said Wahyudi.