Growing risk to Indonesian citizens’ privacy as breaches and leaks appear on marketplaces
On July 22, DataBreaches reported on some recent breaches affecting Thai citizens and residents. In researching that post, DataBreaches was struck by the number of listings or offerings of data from ASEAN countries. In this post, DataBreaches provides a partial listing of some recent leaks or breaches affecting Indonesian citizens and residents.
In general, the listings described below are not the work of just one individual or group, although three hospital breaches reported here do appear to be the work of one individual.
- 260,000 patients of Melati Husada Hospital
The hacker tells DataBreaches this was a hack that exported SQL data. The hospital already knows, they claim, because the hacker also defaced one of their IoT software. The hacker also tells DataBreaches that no ransom or extortion demand was involved.
“I’ve never blackmailed hospitals because I am human and know that they need funds to cure patients. Just having fun with public data and will only profit by selling data,” they tell DataBreaches.
The hospital has not responded to any inquiry from DataBreaches, so this site does not know if any patients have been notified at all. There was no notice on their website about any breach.
- 24,000 patients of Raja Musa Hospital
The same individual also breached this hospital. And:
- 33,000 patients of Citra Husada Melawi Hospital
- Indonesia Vaccine Data
Reportedly has 690,000 records and 16,560,278 lines.
- Medical Check Up Biotest Indonesia DataBase
SQL database with 76,528 records.
- 36 Million Indonesian Cars – 2022 Data
The same individual also lists:
- 1434 Million Telephone Database 2021
The database reportedly includes all mobile operators in Indonesia and includes consumers’ personal ID account number and mobile phone number.
Note: The Ministry of Communication and Information Technology overlaps with police to monitor and investigate cybercrimes of this type.
- 40,000 Indonesian Customer Records
Perhaps people find out what the source is when they pay to get access to the data. The headers include: Name, Email, Phone, City, Address, City Latitude & City Longitude
- Indonesia LotteMart database
Described as some small leak of about 5,000 lines. May be old data.
- Sales of Indonesia Mining Industry Holding Data
Includes in-house correspondence, purchase invoices and other confidential information from a named corporation.
- Indonesian Courier (TIKI) SQL Database
A small (500 lines) SQL database of data from 2018.
- Indonesia personal credit service website data – 890,000
The Excel document contains a number of fields: Email, Gender, Date of Birth, Education Code, Family Status Code, Position Code, Marital Status Code, Place of Birth, Residential Address, Creation Time, Company Name, Mother’s Maiden Name, Home_Telephone, Spouse Name, Spouse_Date of Birth, Monthly Income, Company Address, Company Phone, Company Province Code, Company Area Code, Telephone, Address.
The listing provides a sample of 1,000 records.
Note: The Bank of Indonesia is involved in data protection in the banking sector.
- Indonesian Student Personal Data
The person listing the data begins, “today i wanna sell student personal data.” The data is reportedly 3.5 GB in size and a sample is offered.
- Indonesian Police — Full Database — 2020
- Indonesia Police / POLRI FULL DB – 2021
Another offering of a police database, this one from 2021. The full database reportedly includes information on approximately 467,000 police personnel and includes their ranks, name, unit, email address, and mobile number.
- Indonesian Customs / Dirjen Bea Cukai Database – 2022
Allegedly taken from the government’s website, information on 2,064 officers with their name, ID number, rank, section, department, and location. Includes pictures of officers.
- Indonesian Voters Data – Badung Regency Bali
Described as voters’ data from Badung Regency in Bali. The data consists of about 360,000 rows with the headers being:
No. Kabupaten Kecamatan Desa Nik Nkk Nama Pemilih Tempat Lahir Tanggal Lahir Umur Status Kawin Jenis Kelamin Alamat Dusun RT RW Cacat TPS
Data Protection Challenges in Indonesia
Badan Siber dan Sandi Negara (BSSN), is Indonesia’s primary cyberintelligence, cyberthreat, and cybersecurity agency. But you can’t do a great job enforcing laws if the laws do not exist. Like the U.S., Indonesia does not have a comprehensive data protection regulation. Also like the U.S., it tends to have a patchwork of laws, some of which are sector-specific and some of which overlap. As recently as June 30, Estey Chen reported:
Cyberattacks in Indonesia are increasing in frequency. During the first quarter of 2022, targets in the country faced over 11.8 million cyberattacks, which cybersecurity company Kaspersky reports is a 22 percent increase from the same period in 2021. Meanwhile, Indonesia’s National Cyber and Crypto Agency (BSSN) recorded over 1.6 billion “traffic anomalies” in 2021, according to its annual report released on March 30. Over 62 percent of the “anomalies” were attributed to malware, followed by trojan activity and phishing attempts. Furthermore, Indonesia experienced more ransomware attacks in 2021 than any other Southeast Asian country, according to an Interpol report.
Despite the magnitude of Indonesia’s cyberspace vulnerabilities, the country’s government has yet to implement comprehensive cybersecurity or data protection bills.
(Read more at The Diplomat)
So things are getting worse (as they are in many parts of the world), and one reflection of that may be the increased number of sales listings DataBreaches has observed for Indonesian entities.
DataBreaches reached out to BSSN last week to ask them what they were doing in response to the growing problem, but received no reply.
What appears to be an uptick in listings — as well as an uptick in the number of listings of people looking to buy data from ASEAN countries — does not surprise DESORDEN Group. In recent communications with DataBreaches, they commented that the uptick might be related, more or less, to the fact that some ASEAN countries have recently enacted data protection laws. Whether the data protection laws are just making us more aware of leaks and breaches by requiring disclosure or if more threat actors are attacking ASEAN entities because they can try to extort them with threats of reporting them to regulators is unclear to DataBreaches, but DESORDEN claims that they are seeing an actual uptick in activity. They tell DataBreaches:
Companies in developing countries in Asean usually does not bother to respond, instead we sell the databases via middleman and there are high buyers for these data in this region. We believe these stolen databases ended up in the hands of China people operating scam call centers in Malaysia, Cambodia and Laos region. Nothing much can be done. If a company does not respond, the data has to end up somewhere for a profit.