July 7, 2023
JAKARTA – The data of more than 34 million Indonesian passport holders at the Immigration Directorate General have been reportedly breached by pseudonymous hacker Bjorka.
Cybersecurity researcher and consultant Teguh Aprianto first revealed the cyberattack on Wednesday through his Twitter account @secgron.
Among the leaked data are full names, passport numbers, expiry dates, dates of birth and gender of 34.9 million Indonesian passport holders. The 4-gigabyte-data was offered for US$10,000.
Bjorka also offered 1 million samples of the stolen data in a hacker platform, showing passport data taken between 2009 and 2020. “It looks like the data is valid judging from the given sample,” Teguh wrote.
The Communications and Information Ministry launched an investigation on Wednesday night to verify the reported breach on personal data from 34.9 million Indonesian citizens’ passports.
But the ministry could not confirm there had been “a breach of the massive amount of personal information” as reported, said the ministry’s Applications and Informatics Director General Semuel Abirjani Pangerapan in a statement.
Separately, the ministry’s Information and Public Communication Director General Usman Kansong said there were some differences in the data structure between Bjorka’s breached data with the ones kept in the national data center, as reported by Antara.
The communications ministry would continue the investigation and coordinate with the National Cyber and Encryption Agency (BSSN), which is mandated to formulate government policies on cybersecurity, and the Immigration Directorate General.
The passport data breach is the latest of a series of data leaks occurring in the country. Most recently, hacker group LockBit ransomware claimed in May to have breached 1.5 terabytes of private data managed by state-owned sharia bank Bank Syariah Indonesia (BSI).
The Communications and Information Ministry recorded at least 94 reported breaches of databases in the past four years. Two thirds of the incidents allegedly occurred in the databases managed by private electronic service providers, while the rest happened in the databases of public providers.
Indonesia passed the Personal Data Protection Law in September 2022, which grants citizens more control over their personal information online. The law also requires data controllers and processors to ensure the rights of data subjects and the security of their data, including by setting up firewalls and encryption systems. (kuk)