When an internet economy mushrooms without the right fail-safes developed in step, bad things happen, and it is the users who bear the brunt. Hackers are hitting unsecured targets in Indonesia, each time grabbing larger and larger datasets that contain private data. This information is then leaked on the dark web, hacker forums, and even social media platforms. Some is put up for anyone to download and exploit, while other sets are for sale. Information generated by consumers has a price tag, and buyers are aplenty—marketing firms, election campaigns, and the country’s many unlicensed fintech lenders that are operating scams by forcing loans onto unwitting people.
In May, the server of Indonesia’s healthcare and social security agency, BPJS Kesehatan, was breached. One hacker managed to copy the data of 279 million Indonesians—possibly most of the country’s population plus some deceased individuals. Data breaches like BPJS’s can lead to a myriad of unwanted consequences for consumers, from identity theft to fraudulent credit card activity. Doddy Darumadi, a lawyer at the Nenggala Aluguro law firm in Jakarta, told KrASIA that he has represented many clients who have been wronged in cases related to illegal peer-to-peer lending since 2017.
Every year, the number of cases increases as illegal platforms offering instant loans continually crop up. Many victims are trapped with debt that they cannot pay off. The creditors are generally P2P lenders that acquire user information unlawfully and then force high-interest loans onto them. “Several victims came to me and said they received money sent from fintech platforms along with a bill. These platforms charge high interest in short tenure. The problem is they never applied or agreed to borrow money from these platforms,” Darumadi told KrASIA. The lawyer added that his firm handles at least 20 new cases related to illegal lenders every week.
Fintech platforms that operate without the proper licenses build their user bases by sourcing data from hackers and data brokers, who sell personal information at a fairly low price. A person’s credit card details go for USD 6–20. An ID with a full name, date of birth, email, and mobile number costs USD 0.5–10. A selfie with supporting documents for visual verification has a heftier price tag at USD 40–60, according to data compiled by Kaspersky.
Shoddy cybersecurity is largely to blame for the free flow of private data in these circles. Most breaches in Indonesia come to light only after hackers sell their harvests on the hacker community site Raid Forums, which is on the open web. Indonesia’s IT ministry blocked the site recently, but it is still easy to access with the right tools. Even so, there is a wealth of personal information up for sale in less visible corners of the internet. A cybersecurity activist with the handle “Dendi Zuckergates,” who co-founded an online community for IT enthusiasts called Orang Siber Indonesia, said there are actually far more data breaches involving Indonesians than what is reported in the media.
“After BPJS’s case, servers of several civil registry service offices such as those of Bogor and Bekasi [cities in Indonesia] were hacked, and people are selling datasets containing millions of pieces of personal information from those servers on Raid Forums. Usually, only half of it is real, while the rest of the data is fake. Hackers do this to jack up the price,” Zuckergates told KrASIA. “Data purchases usually use cryptocurrencies like bitcoin, so it is safe and untraceable.”
Building business and winning elections by using stolen data
Like many illicit trades, solo practitioners may band together to pool their resources and form larger operations. “In addition to individual hackers or sellers, there are also many syndicates selling personal data. They consist of several members with different jobs. Some are in charge of hacking a system, some are in sales, while others are in charge of buying data from several sites for resale, and so on,” said Zuckergates.
Those who buy stolen data can use it for many purposes. Sometimes, personal information is purchased by marketing firms that specialize in spam campaigns; others buy it to improve the success rate when they identify marks for scams. Occasionally, there is a political dimension too. Leaked data is often bought by agencies ahead of elections for outreach through SMS on behalf of candidates, said Zuckergates.
The IT ministry has established a set of rules regarding the use of text messages by political campaigns. Agencies cannot request users’ information or identities from telco providers or other parties for targeted campaigns. In addition, agencies are prohibited from sending SMS broadcasts or spam during the “quiet week” that precedes polling day, although Indonesia’s election watchdog has uncovered violations.
Nonetheless, illegal fintech platforms appear to be one of the biggest patrons of black market data brokers.
“Illegitimate [fintech] platforms reach out to potential victims by sending them messages via SMS or WhatsApp,” said Darumadi. Scams that may fail in other parts of the world still net victims in some emerging markets like Indonesia because of a generally lower level of digital and financial literacy. Some people click the links in the messages they receive, leading to an app’s installation and queries for their personal information. This way, the platforms gain access to victims’ information, like their contact information and salary. “Debt collectors would intimidate victims by constantly calling numbers in the victim’s contact list, asking them to repay the debt rudely, or even threaten to spread the victim’s personal data on the internet,” the lawyer added.
Indonesia’s financial authority OJK continuously urges the public to exercise care when choosing fintech platforms, given the large number of apps that operate without permits in the country. As of April 2021, OJK has blocked 3,198 illegal P2P lenders, but new ones continually emerge to take their place.
Even though Darumadi isn’t sure how illegal P2P lenders acquire their victims’ contact information, it doesn’t take much digging to locate personal data that is up for sale in Indonesia. One Twitter user who goes by “pinjollaknat” compiles some of this information and tweets about illegal lenders in the country. Brokers who say they have clusters of Indonesian e-national ID data to trade are a dime a dozen, making it extremely easy and cheap for illegal fintech operators to build an illegitimate user base. The next step is to force loans onto unknowing individuals, demand high-interest payments, and possibly wreck their financial foundations and credit scores in the process.
Read this: Shoddy data protection in Indonesia threatens personal security of citizens
Can the plunder be stopped?
The racket of forced loan repayment by fintech platforms emerged five years ago and has picked up steam since then. Plenty of people have complained about this to Media Konsumen, which publishes reports from consumers who have been wronged. Here’s a fact: when digital assets are scattered across many platforms, consumers are in a vulnerable position. There were 47 cases of data theft in 2017, according to Indonesian police records. That count increased to 88 cases in 2018 and then to 143 in 2019. Last year, there were at least seven data breach cases involving large institutions. These attacks are escalating, yet little is being done to turn the tide.
Indonesia’s house of representatives is reviewing a draft law on personal data protection now. Even so, the principal legislation governing data protection is included in the law of electronic information and transactions (UU ITE), which includes punishments for parties that steal or disseminate the personal data of other individuals without their consent, like illegal fintech lenders.
Hackers who access computer systems without permission can be sentenced to eight years in prison and fined IDR 800 million (USD 56,000). Meanwhile, those who deliberately distribute digital documents without the owner’s permission for the purposes of extortion and intimidation can be imprisoned for up to six years and fined IDR 1 billion (USD 70,000).
Indonesia’s cyber police periodically remind the public to be cautious about providing personal data to other parties to avoid misuse, like generating unsolicited loans or even takeovers of personal accounts that hold cash balances. Yet, as data leaks become commonplace and official investigations yield little more than static, citizens are left to their own means to prevent or respond to criminal acts. The most effective things people can do are to monitor their accounts and react quickly if they spot unusual cash transfers.
“If you see any suspicious activity such as mysterious transactions, or if you’re being terrorized by illegal lenders, you can report it to the cyber police for immediate action. Consumers must be extra careful when submitting personal data such as their e-KTP [identity card] and selfies on digital platforms,” said Darumadi.
And the recent leak of 279 million people’s information? Indonesia’s cyber police and the National Cyber and Encryption Agency are investigating the incident, but if previous cases offer a reference, there won’t be any conclusions released anytime soon.