INDONESIA — In yet another cyber-attack that has sent shockwaves through the online world, the notorious hacker known as Bjorka has reportedly breached security systems and leaked the personal data of millions of Indonesian citizens.
Previously making headlines for exposing personal user information from various platforms in Indonesia, including PeduliLindung, MyPertamina, and most recently, 19 million records from BPJS Ketenagakerjaan, Bjorka is now suspected of hacking and selling 34 million Indonesian passport data at a bargain price on the dark web.
The compromised passport data, according to Bjorka, includes names, passport numbers, passport expiration dates, gender, and passport issuance dates. Screenshots from the dark web show Bjorka, using the username Bjorka, offering the entire dataset of 34 million Indonesian passport data for Rp 150 million (US$10,000). The compressed and uncompressed versions of the file are said to be approximately 4 GB each, with a total of 34,900,867 files.
The news first surfaced when cybersecurity analyst Teguh Aprianto, founder of Ethical Hacker Indonesia, shared the information on his Twitter account @secgron on Wednesday, July 5, 2023.
“Thirty-four million Indonesian passport data leaked and sold on the dark web. The price is only $10k. The data includes passport numbers, full names, date of birth, gender, address, phone numbers, email, facial photos, and signatures,” wrote Teguh.
The tweet gained significant attention, with 2.6 million views, 1,974 comments, and over 13,000 shares as of Thursday, July 6, 2023.
“It’s scary, isn’t it? Data leaks have been happening for a while, but it’s still happening today. I really don’t know how to fix this. What should we do?” tweeted user @Mikae******.
“Apparently, Bjorka has realized that data in Indonesia is open source, so it’s cheap,” wrote user @ngup*****.
“Once they have the data, what do they use it for? Taking out online loans?” wrote user @euri**.
Teguh also directed his tweet toward the official Twitter accounts of the Ministry of Communications and Informatics (Kemkominfo) and the National Cyber and Encryption Agency (BSSN RI), questioning their response to the ongoing issue.
“What have @kemkominfo and @BSSN_RI been doing all this time?” he wrote.
The leaked passport data was further showcased on Bjorka’s blog, Bjork.ai, where the hacker provided a sample of one million passport records for potential buyers to verify the authenticity of the data. However, the link to the sample data was later blocked by Kemkominfo on Thursday, July 6, 2023.
Responding to the issue, cybersecurity expert Alfons Tanujaya, founder of Vaksincom, a network security protection service, has commented on the validity and limited nature of the leaked data.
In an interview with Tekno Liputan6.com on Wednesday, July 5, 2023, Alfons stated that the leaked data is likely valid due to the presence of the National Identity Card Identification Number (NIKIM), which is exclusively held by the Directorate General of Immigration.
“The extent of the leak is still somewhat limited, and the data quality is less appealing to criminals compared to previously leaked data.”
The accuracy and correspondence of the leaked data with the NIKIM numbers, passports, and passport holders’ names are yet to be confirmed by the Directorate General of Immigration. Alfons emphasized the need for further verification by immigration authorities. He added, “It must be confirmed by immigration whether the leaked data matches the NIKIM numbers, passports, and the names of passport holders.”
Despite the limited types of data leaked, Alfons warned that the information can still be used to identify individuals. He admitted that the most significant data breach in this incident is the exposure of NIKIM data, whereas other leaked information is not as significant and has been previously compromised.
Alfons further explained, “Other affected data owners, such as population data, full names, and identification numbers (NIK; Nomor Induk Kependudukan), and other population-related data, have had their NIKIM data and passport numbers added to the leakage.”
When asked for a response, the Director-General of Immigration at the Ministry of Law and Human Rights (Kemenkumham), Silmy Karim, confirmed that an investigation into the alleged data breach is underway.
“We are currently investigating the validity of the leak,” Silmy Karim stated via a text message to Liputan6.com.
Silmy further revealed that the immigration data centre currently utilizes the National Data Center (PDN; Pusat Data Nasional) of the Ministry of Communications and Informatics (Kominfo). They are collaborating with the National Cyber and Encryption Agency (BSSN; Badan Siber dan Sandi Negara) and Kominfo to investigate the matter.
“Yes, we are working with BSSN and Kominfo,” Silmy said when approached by Kompas.com.
According to the official website of Kominfo, the development of the PDN is part of the government’s policy, including Article 27 of the Presidential Regulation on Electronic-Based Government Systems.
The PDN provides various services, including government cloud computing, data integration, and consolidation for central and regional government institutions.
As for the ongoing investigation, the Director-General of Information and Public Communication at Kominfo, Usman Kansong, revealed that there are discrepancies between the structure of the data found in the PDN and the circulating leaked data.
“Based on the preliminary investigation, there are differences in the data structure between the one in the National Data Center and the one circulating,” Usman said in a statement to Kompas.com last Wednesday (5 Jul).
Usman stated that Kominfo is currently preparing regulations to prevent future data breaches. “As part of long-term prevention, we are preparing regulations based on Law No. 27 of 2022 on Personal Data Protection,” he said.
He further mentioned that Kominfo is working on drafting Government Regulations (Peraturan Pemerintah/PP) and Presidential Regulations (Peraturan Presiden/Perpres). The PP is expected to be issued by the end of 2023, while the Perpres is planned for release in September 2023.
Usman added that, in addition to issuing regulations, Kominfo will also expand the National Data Centers (PDN) in several locations in Indonesia. “We are building national data centers in 4 locations, namely Bekasi, Batam, IKN, and Labuan Bajo,” he said.
In a bid to strengthen data infrastructure and enhance cybersecurity measures, the Ministry of Communications and Informatics (Kominfo) has embarked on an ambitious project to establish the first government-owned National Data Center (PDN) in multiple locations across Indonesia.
The urgency to fortify data protection measures arises from the persisting issue of data breaches in Indonesia. Semuel Abrijani Pangerapan, Director-General of Informatics Applications at Kominfo, revealed that between 2019 and 2023, the ministry has addressed a total of 94 data breach cases.
Notably, the number of data breaches spiked by 75% in 2023, accounting for 35 cases. As of June 2023, Kominfo has already handled 15 data breach incidents.
Semuel clarified that out of the 94 cases handled, after assessments and forensic investigations, 28 cases were identified as cybersecurity breaches or system vulnerabilities, rather than violations of personal data protection.
