November 23, 2022
Jakarta – The government is once again in the spotlight for failing to protect citizens’ data following an alleged breach of the COVID-19 tracking app PeduliLindungi. This is the second apparent hack into a state database since the country’s privacy law was enacted in October.
Bjorka, a pseudonymous hacker who previously claimed to have obtained and leaked the personal data of President Joko “Jokowi” Widodo and his ministers last week, allegedly belongs to users of the PeduliLindungi app in breaches of the hacking site. Provided 3.2 billion data entries. 100,000 USD Bitcoin forum. Data included user contact details, ID card details, travel history, vaccination status, and COVID-19 test results.
The government is using PeduliLindungi, a de-facto essential for COVID-19 contact tracing and vaccination verification.
An employee of the Cyber and Crypto Agency (BSSN). The app was created by the Ministry of Communications and Information and Telkom, a state-owned telecommunications company. The Ministry of Health, which controls the app’s data, also said it was investigating the alleged breach and verifying the authenticity of the stolen data.
BSSN spokesperson Ariandi Putra said, “We have coordinated and initiated a data verification and investigation to verify the alleged Peduli Lindungi data breach.” Jakarta Post On Friday.
Health Minister Budi Gunadi Sadikin denied that the data came from the PeduliLindungi database maintained by his office. kompas.com report.
The incident comes less than a week after Bjorka put up for sale 44 million personal data entries believed to belong to users of fuel payment app MyPertamina on the same hacking forum. The alleged leak is under investigation by state-owned oil and gas giant Pertamina.
The Personal Data Protection Act, enacted in October after a series of digital attacks against states and private institutions, seeks to give citizens more control over their personal information online and promote better cybersecurity. . Data controllers and processors should ensure the rights of “data subjects” and the security of their data, for example by setting up firewalls and encryption systems.
However, the law gives data processors two years to put security systems in place, and no data protection oversight body has been established to administer sanctions and fines.
“The transition period has become an important time to ensure data controller compliance. To date, it remains unclear which agency has this role, as there is no oversight body,” he said. Wahidi Jafar, executive director of the Policy Research Advocacy Institute (Elsam) said.
Despite a two-year grace period to build a better system, Wahyudi said PeduliLindungi’s data controller, the Ministry of Health, has at least notified data subjects of a possible data breach and discovered the problem. It said it must be notified of how to mitigate it within 72 hours of As required by privacy laws.
As of Monday evening, no such notice could be found anywhere.
Pratama Persadha of the Research Center for Communications and Information Systems Security (CISSReC) said the data sold by Bjorka appeared to be identical to the contents of the PeduliLindungi database, based on a sample comparison, which led to the Health Minister’s denial of violations. I couldn’t believe it. He asked the ministry to perform digital forensic analysis to verify the information leak.
According to NasDem Party lawmaker Muhammad Farhan, the House of Representatives Committee I, which oversees intelligence and information, plans to discuss Wednesday with the Communications Minister the alleged Peduli Lindungi data breach.
Shortly after the Privacy Act was enacted, Commission I established a Data Security Working Group to oversee how the government implemented the new legislation and built a stronger cybersecurity system.