Indonesian fintech aggregator platform Cermati reportedly had 2.9 million of its users data leaked and sold in a hacker forum. This is the latest case of data breach plaguing Indonesian startups.
The issue was first raised by cybersecurity consultant and founder of Ethical Hacker Indonesia Teguh Aprianto on Twitter. According to him, leaked data includes users’ full names, e-mails, addresses, phone numbers, bank accounts, occupations, taxpayer registration numbers (NPWP), national ID numbers, and more. Aprianto added that the data was sold for USD 2,200 in hacker forums.
Besides providing financial product comparisons, Cermati also facilitates loan and credit card applications and bill payments from its platform, which has led to a variety of personal information being stored in its database.
Cermati didn’t immediately respond to KrASIA’s request for comment.
However, the company sent an e-mail blast to users on October 31. It didn’t address the data breach issue, but warned that there was an unauthorized access into the company’s platform, which stores users data. The e-mail stated that Cermati had taken countermeasures to improve its security system, such as contacting the National Cyber and Encryption Agency (BSSN) for investigation and consulting external cybersecurity experts for system upgrades.
The e-mail also encouraged users to renew their password and activate the two-factor authentication (2FA) feature to block unauthorized access.
Indonesian startups have been known to face difficulties in battling data hacks. In May, Indonesian e-commerce unicorn Tokopedia allegedly had 15 million of its users’ data published on a hacker site called “Raid Forum”. Other platforms that have had problems with scammers are travel tech provider Tiket and O2O platform Kudo (now GrabKios by Kudo).