- API Penetration Testing

Top 10 Cybersecurity Breaches in Indonesia

Learn about the state of cybersecurity in Indonesia and the 10 biggest breaches in this country.
Cybersecurity is not considered to be Indonesia's strongest point. The country is ranked first in Southeast Asia and 60th in the world regarding the dangers posed by Internet surfing. In the first quarter of 2022, the country faced over 11.8 million cyberattacks. In 2021, BSSN recorded 1.65 billion cybersecurity traffic anomalies.

The country passed its first data protection bill in September 2022. Until then, personal data was not defined in the law, meaning it was difficult to punish violations. Indonesians' data is regularly exposed to the point where citizens jokingly call it an "open-source country."

This has led to a number of big data violations. We have made a list of top-10 cybersecurity breaches in Indonesia to learn from.
#1 Hacker Stole 15 Million Records From Large Indonesian Marketplace Tokopedia
Tokopedia is the largest and one of the most-visited eCommerce businesses in Indonesia, it serves over 100 million active users monthly. It is also one of Indonesia's biggest tech unicorns.

That is why the breach of March 2020 has landed into breaking news in the country. The hacker has obtained the data of 15 million users, including full names, emails, phone numbers, hashed passwords, dates of birth, and marketing data.

The hacker published some of the data on a famous hacking website, asking users to help them crack the passwords so that they can reuse those for other purposes. The passwords were protected by the SHA2-384 hashing algorithm which takes some time to crack. It gave users the time to change their passwords before the encryption was down.

The company quickly responded to the event, urging users to change their passwords and starting the investigation. Tokopedia said the crucial information such as payment data and passwords was safe.

Yet, personal data was leaked. In two months, a full database with 91 million records appeared on the darknet for sale. It cost only $5000.
#2 Data Breach in the Covid-19 Test-and-Trace Mobile App Potentially Affected Around 1.3 Million Users
There were numerous incidents of breaching COVID-19 tracing apps, and Indonesia was not an exception.

Independent researchers have found that the electronic Health Alert Card (eHAC) can potentially compromise 1.3 million users. It includes users' health status, personal data, contact details, COVID-19 test results, as well as the entire infrastructure around eHAC, including private records from hospitals and Indonesian officials using the app.

The app stored around 2 gigabytes of records on the unsecured database. One could access it via the browser the Elasticsearch database, which is usually not designed for URL use. Experts said unprotected data can be used for fraud, phishing, hacking, and disinformation campaigns.

The health ministry and the Indonesia Computer Emergency Response Team did not do anything after being informed about the breach. The National Cyber and Encryption Agency was contacted later and they have taken down the server and urged citizens to delete the app.

The country created a new app, PeduliLindungi (care protect), but it leaked the Indonesian president's COVID-19 vaccine certificate in no time. It has highlighted how stronger security measures were needed in the governmental structures.
#3 Ride-Hailing Gojek Exposed Major Security Flaws
Gojek is an Indonesian multi-service platform, including GoRide, GoSend, GoShop, and GoFood. It is the country's highest-valued startup on record.

The independent researchers have found a breach potential in its app that comes from two unsecured APIs. The first one is in the ride history, it lets hackers read a list of all rides taken by any user and further exploit the vulnerability to see details of orders customers made and even meddle with notifications users receive. The second problematic API exposed user data, including phone numbers, pickup, and drop-off points.

The company received notification from the researchers and said to have fixed the issue. They also shared that they pay hackers to find their vulnerabilities to keep bugs intact.
#4 Indonesian Universal Healthcare Program Leaked Social Security Data of 279 Million People
Another case of governmental breach happened in 2021. It involved BPJS Kesehatan, the National Health Care and Social Security Agency which manages the country's universal healthcare program.

The Agency has a database of 222.5 million users, covering about 82 percent of Indonesia's overall population. A user named Kotz has published data samples on three websites, they claimed that it included data on 2 million people. In fact, it was 100,002 records. The hacker has also claimed that they have the personal data of 279 million people, alive and deceased, including their full names, ID card numbers, email addresses, phone numbers, dates and places of birth, as well as salary details. It also included details on BPJS Kesehatan: their offices, numbers, employees, etc.

Indonesian officials banned access to the websites and all other data-selling websites and launched an investigation. They say that their security system is complex and multi-layered, and it is likely that someone inside the company has stolen the data. Human errors are among the most popular reasons for data breaches. However, there is still no decision.
#5 A Hacker Exposed 1.3 Billion Indonesian Sim Card Registration Profiles
In 2017, the country made its citizens register SIM cards, providing such details as the NIK (citizenship identification numbers), the name of the cellular operator, as well as the registration date of the phone number. Ironically, it claimed to protect the citizens from spam.

In 2022, a hacker named Bjorka put up 1.3 billion Indonesian SIM card registration profiles for sale. It is more than the number of citizens, but it is standard to have more than one number in the country. The hacker exposed how vulnerable the Indonesian cybersecurity system is.

Previously, the hacker also leaked a log of incoming and outgoing confidential documents between the President and the State Intelligence Agency. They also shared the personal data of public political figures, including phone numbers, identity numbers, and vaccine numbers.
#6 Indonesian Fintech Startup Cermati Leaked Data of 2.9 Million Users
A fintech aggregator startup Cermati provides financial product comparisons, as well as enables loan and credit card applications and bill payments. Since it stores such valuable information as credit card numbers, the startup often becomes a target for cyberattacks.

In 2020, Cermati faced a massive breach: the data of 2,9 million users was stolen. The data included full names, e-mails, addresses, phone numbers, bank accounts, occupations, taxpayer registration numbers, ID numbers, etc. The information was sold for as cheap as $2,200.

After learning about the breach, the company warned users and started an investigation process. They also started to upgrade their security system.
#7 Insurance Company BRI Life Exposed Banking Details of 2 Million Customers
BRI Life is an insurance department of a state-owned Bank Rakyat Indonesia. In 2021, it leaked the data of 2 million users, including bank account details, copies of Indonesian identification cards, and taxpayer details.

The company found that it happened because the computers belonging to BRI and BRI Life employees had been compromised. The unidentified hackers gained access to the entire company from there. The data went online for $7,000.

BRI Life immediately started an investigation to trace the hackers and how the computers were compromised. They also worked with cybersecurity experts to improve their security system overall.
#8 Breach at Indonesian Ministry of Health Leaked 720GB of Personal Data
Governmental structures have proven themselves to not be the safest entities in Indonesia, and the Ministry of Health breach is yet another proof. In 2022, they leaked the data of six million patients.

There were 720GB of leaked data that included full names, hospitals, patient photos, COVID-19 and lab test results, BPJS (healthcare) referral letters, and X-Ray scans. The data was sold on Raidforums, a dark web forum.

The hackers claim to obtain it from the centralized server of the Indonesian Ministry of Health. The Ministry released a statement where they claim to investigate the breach and closely work with The Minister of Communications and Informatics on the matter.
#9 Telecom Company PLN Data Breach Exposed Data of 17 Million Citizens
In 2022, Indonesia continues to suffer major data breaches in both private and state-owned businesses. Until recently, it was not punishable in the country and, therefore, the majority of cases are not even investigated properly. The citizens urge the government to create a data protection bill.

A state-owned utility company Perusahaan Listrik Negara (PLN) and a telecom company IndiHome allegedly leaked data of millions of users.

PLN leaked data of more than 17 million citizens, including their IDs, names, addresses, and energy consumption. The company currently investigates the case while the data is up for sale on the forum.

Indihome is denying the breach, claiming that the leaked data is not valid. If it is though, it would mean that the data of 26 million users are on the Internet as well, including their browsing history, ID cards, emails, phone numbers, passwords, domains, platforms, and URLs.

The country did as much as promising an investigation and sending advice on better security.
#10 Chinese Hackers Breached Servers of 10 Indonesian Government Agencies
Mustang Panda, also known as Bronze President, HoneyMyte, and RedLich, is a Chinese hacker group that is famous due to their espionage of the countries of Southeast Asia.

In 2021, they managed to breach 10 Indonesian government agencies, including the country's intelligence agency Badan Intelijen Negara (BIN). They used PlugX malware, a trojan that grants remote access and control over an infected device.

The breach was not discovered by the government but by the researchers. They notified agencies and got no response. However, the infected servers were cleaned up soon after they sent the message.
Indonesia has a decentralized system for everything but cybersecurity and data protection need a centralized approach to hackers, considering how many attacks the country experiences on a regular basis. Their experience shows that data protection should be regulated in order to achieve the least breaches, as well as spread awareness about the topic. Team