A data breach affecting 91 million accounts on Indonesia’s most prominent e-commerce platform Tokopedia has raised questions about when the country’s parliament will finally enact a law on data and privacy protection.
The hack affecting Tokopedia’s 91 million active accounts shows how serious the data protection problem in Indonesia, making the law an urgent matter.
Siber Indonesia Communication & Information System Security Research Center (CISSReC), a research firm specialising in cybersecurity, warned that online and offline personal data are prone to be misused by unscrupulous parties.
“The most crucial thing is, personal data has not been protected,” CISSReC chairman Pratama Persadha said in a statement on 4 May.
While Tokopedia was supposed to be accountable for the data leak, such a thing may not occur, as there is no data privacy law, making Tokopedia users’ data prone to cybercrimes such as phishing.
Tokopedia data breach: The chronology
The Tokopedia data breach was first spotted when a hacker nicknamed Whysodank published his hacking result in Raid Forum, an internet forum containing information related to database and data leak, Bisnis wrote.
Another hacker under the nickname ShinyHunter uploaded the sale thread of 91 million accounts of Tokopedia users in Empire Market, one of the dark web forums. From there, the account @underthebreach published the hacking of Tokopedia on Twitter.
Pratama warned that the data leak affecting Tokopedia could spread to other social media platforms if users use the same ID and password, calling on the government’s social media officers to take precautionary actions to protect their accounts.
What is in the draft Bill on data and privacy protection?
On 24 January, President Joko Widodo signed the draft Bill on data protection, which was supposed to be discussed with the parliament after the Omnibus Law.
There are three main points in the draft Bill, as Minister of Communication and Information Johnny G. Plate elaborated: Data sovereignty, data ownership related to personal data or other specific types of data, and data traffic management, KataData reported.
The draft Bill defines personal data as any data about an individual, which is identified separately or can be combined with other information either directly or indirectly, through both electronic and manual systems.
Those who violate or misuse personal data will face a seven-year jail term or pay a fine up to Rp 70 billion.
If there is a failure in data protection, personal data controllers are obliged to inform data owners or supervising agencies within 14 days.