December 20, 2024
JAKARTA – A ransomware scare has, once again, rung alarm bells surrounding the state of Indonesia’s digital security, which analysts warn has seen little improvement despite the enactment of a privacy law two years ago.
Indonesia has in the past years racked up a lengthy list of data breaches that experts say authorities failed to investigate either properly or transparently, stoking public distrust in the government’s ability to ensure data safety in the country.
In the latest such incident, several organizations that monitor malicious online activities, such as India-based Falcon Feeds and the Dubai-based Hack Manac, reported on their X accounts on Wednesday that hacker group Bashe had launched a ransomware attack against state-owned lender BRI.
BRI was quick to deny these reports, saying that the data samples did not come from its database.
“We have conducted a thorough check on our system and found no ransomware threat there. A further assessment also shows that the published data does not come from the BRI system,” a BRI statement said on Thursday evening.
BRI stated earlier on its Instagram account that the data and funds of all customers were safe, and that its services were running as usual.
“BRI’s IT security system is up to international standards and is regularly updated to deal with various potential threats. Proactive steps are taken to ensure that customers’ information remains protected,” it said.
Pratama Persadha of think-tank Communication and Information System Security Research Center (CISSReC) cast doubt over the reported data breach, saying that the bank’s services would have been impeded had the ransomware attack really happened.
Pratama added that Bashe’s data samples were identical to data found on a publicly accessible file-sharing website.
Several screenshots on X, including those uploaded by Falcon Feeds, showed that Bashe had threatened to release an unspecified amount of user data unless BRI paid an undisclosed ransom by Dec. 23.
Falcon Feeds, however, could not confirm the validity of the data breach.
Bashe first surfaced in April and is thought to be a splinter from the LockBit ransomware group.
Lockbit was behind an attack against Bank Syariah Indonesia (BSI) in May last year, when the group used ransomware called LockBit 3.0 to steal 1.5 terabytes worth of data, while also demanding a ransom of US$20 million.
An updated version of the Lockbit 3.0 ransomware, called Brain Cipher, was also the cause for data disruptions at a temporary National Data Center (PDN) facility earlier this year. The attack impacted databases managed by more than 200 government bodies and caused days-long, massive disruption to public services.
Lackluster privacy law
While the jury is still out whether the ransomware attack on BRI did occur, experts pointed to the lackluster implementation of the Personal Data Protection Law as a bigger issue plaguing the country’s cybersecurity.
The law came into full effect in October after it was introduced two years ago. It gave a grace period of two years for data controllers to implement the necessary safety measures and for the government to establish a data protection agency, which would answer directly to the President and whose task would be to oversee compliance with the law.
But President Prabowo Subianto still has yet to issue a presidential regulation on the establishment of the oversight body.
“Data controllers should have been ready to comply [with the law] by now, yet data breaches keep on happening,” said Wahyudi Djafar of the Institute for Policy Research and Advocacy (Elsam), which has long campaigned for data privacy.
“That’s the challenge now, and it’s complicated by the fact that the government failed to form the oversight body on time.”
The oversight body, Wahyudi said, is crucial in giving data controllers the necessary benchmark and technical guidelines to ensure that their safety measures are up to par, while also granting the public the right to know how their data is controlled and protected.
Second Deputy Communications and Digital Minister Nezar Patria said the government had, in principle, finished drafting the implementing regulation of the privacy law and that the regulation is expected to be signed by Prabowo early next year.
“The regulation is being synchronized [with other existing regulations] by the Law Ministry. It is also going through a review by other relevant stakeholders,” Nezar added.
Taking initiatives
Cybersecurity expert Ardi Sutedja said that the government’s efforts at disseminating information surrounding the privacy law in the past two years had focused too much on the sanctions companies will suffer if they fail to comply, rather than how to actually implement the law.
He called on companies to evaluate their cybersecurity on a more basic level, such as by ensuring their employees and customers can follow data safety protocols.
“Ensuring data safety does not fall solely on the government, it’s also the private sector’s and the public’s responsibility. In the short term, there should be more efforts to make people aware of basic data safety measures,” Ardi said.