Using smartphones and tech-empowered platforms to access financial products is now second nature for many Southeast Asians. Bank-like services are often just a few taps away. But recent complaints about the possible misuse of user data stored by Traveloka is bringing to light the serious matter of data security practices lagging behind the proliferation of easily accessible features. At the moment, victims must contend with wrecked personal credit scores, yet the larger issue of data protection has yet to be addressed.
When Rachmat Haryanto applied for a new credit card in 2019, he was surprised when the bank rejected his application. The bank said he had a bad credit score, but Haryanto was sure that he had no outstanding bills. He looked up his credit history and found two unpaid bills marked as owed to Caturnusa Sejahtera Finance, a company commissioned by Traveloka to operate its pay later service.
Haryanto is a photographer, and he frequently travels for assignments. Oftentimes, he booked plane tickets and hotel rooms through Traveloka, but he never signed up for the company’s pay later service. “Bank Indonesia blacklisted me for two outstanding bills, one for IDR 8 million (USD 561) and another for IDR 10 million (USD 710), on Traveloka’s PayLater,” Haryanto told KrASIA.
Ready to file a complaint, Haryanto contacted Indonesia’s financial authority, OJK. The representative he spoke with told him to contact Traveloka directly and resolve the matter. “The bank also advised me to ask for a disclaimer from these companies so that the bill could be written off to remedy my bad score so I could reapply for the credit card,” Haryanto said.
The photographer did precisely that. He visited Traveloka’s office in Jakarta to report the error and demanded that the company fix the problem right away. “The data in the billing details is not completely accurate. While my name and national ID number are correct, the job information, address, and cellphone number are wrong. So apparently, it only takes a name and ID number to misuse the data,” he told KrASIA. Traveloka settled the matter and issued a written disclaimer per Haryanto’s request.
Bad credit scores, no matter the root cause, make it difficult for individuals to apply for credit cards, loans, mortgages, and other financial services offered by banks.
Haryanto’s case was not an outlier. After he wrote about his experience in a letter published by local media outlet Detik, more people said they had encountered the same issue. “To this day, many people contact me to share similar experiences.”
Another customer who goes by the handle “Ridu” on Twitter recently shared his experience via a tweet thread. Like Haryanto, Ridu’s credit card application was rejected because of poor credit. “As it turned out, I had three unpaid transactions from May 2019, all from Caturnusa,” he told KrASIA.
Ridu’s thread caught the attention of Traveloka, which reached out to the user and asked for screenshots of his credit score reports, as well as a photo of his ID card and a selfie for verification. A few hours after Ridu submitted these materials, Traveloka sent him an email to apologize for the misuse of his personal data. Ridu’s “debt” was written off by the company.
The common theme in the cases of Haryanto, “Ridu,” and other Traveloka users whose credit scores have nosedived for no apparent reason is that none of them signed up for Traveloka’s pay later services facilitated by Caturnusa. Also, none of these users ever received an invoice or were contacted by debt collectors. Those who discovered their outstanding debt only found out when they looked up their credit scores after their applications with financial institutions were turned down. This raises a question: who is using the data of Traveloka’s customers to formulate transactions in Caturnusa’s records? And why are they doing this?
Haryanto offered one guess. “From many conversations I had with other victims and people familiar with fintech and tech companies, there is an allegation that Caturnusa took data from Traveloka’s users to make those transactions so they would have healthy activity and transaction cycles on the platform. But again, this is just speculation,” he said.
“Ridu” believes that this was the most likely reason behind the “debt” he carried. “Other victims who contacted me said that their transactions also took place in 2019. And I found out that Traveloka did not require ID card verification and photos back then [for their pay later service],” he said.
Aside from its PayLater vertical, Traveloka also offers an insurance product to its users by partnering with companies like Chubb and Astra Life.
Traveloka has yet to respond to KrASIA’s request for comment on the matter.
How do fintech operators use their customers’ data?
The Indonesian Consumer Foundation said 33.5% of the complaints it received in 2020 targeted financial service providers, the largest portion by sector in its overall volume. Most consumers accused these businesses of misusing or exploiting their user data, specifically pointing to illegal peer-to-peer lenders.
Fintech companies often say they use customer data for risk analysis, fraud detection, and to customize services based on user activity and preferences. In 2018, OJK established regulations for how fintech companies can utilize their customers’ data—all financial service providers must maintain the confidentiality, integrity, and accessibility of customers’ personal, transactional, and financial data from the moment these companies acquire the data until the point in time when it is removed from their servers. Service providers must also obtain consent from users for data utilization, as well as explain the purpose and limitations clearly. Moreover, data collection methods must guarantee confidentiality and security.
All fintech platforms with valid licenses from OJK, like Traveloka PayLater, must comply with these regulations. It is currently unclear how a series of unauthorized loans were issued through Traveloka’s pay later service.
Indonesia struggles with weak protection of personal information in the public and private sectors. There were at least seven major data breaches in 2020, including those involving large tech companies like Tokopedia and Bukalapak, as well as Indonesia’s general elections commission (KPU). In May, the server of BPJS Kesehatan, the country’s healthcare and social security agency, was allegedly hacked, resulting in the data of 279 million Indonesians, including deceased individuals, being posted on a hacker forum.