Millions of Indonesians are once again the victims of a data breach due to the absence of personal data protection. On Tuesday, the data of customers of BRI Life, the insurance arm of the country’s biggest lender, BRI, was reportedly leaked and sold online. The matter was first mentioned in a tweet by Alon Gal, co-founder and CTO of cybercrime intelligence firm Hudson Rock, who said that a dataset containing personal information of BRI Life’s 2 million customers was sold on the dark web for USD 7,000.
At least 463,000 documents were leaked, including information like national IDs, taxpayer identification numbers, photos of customers’ bankbooks, birth certificates, and medical records. Gal also said the data was obtained by hackers who exploited the computers of BRI Life’s employees.
In response to this case, a spokesperson for the IT Ministry and CEO of BRI Life told local media that they are investigating the case. As part of the investigation, BRI Life is working with an independent team that specializes in cybersecurity to track the data.
Major enterprises and government agencies in Indonesia are frequent targets for hacks. In May, the server of BPJS Kesehatan, the country’s healthcare and social security agency, was allegedly breached, resulting in the data of 279 million Indonesians being posted on a hacker forum. The case is still under investigation. Police have identified the perpetrators who hacked into BPJS’ servers, but there have been no reports indicating how they were able to exploit weaknesses in the system.
Although Indonesia’s tech ecosystem is maturing, these cases show that Indonesia struggles with weak data protection. The government is reviewing a draft for regulations that define terms for personal data protection, but it is unclear when the bill will be passed into law. Last year, at least seven major data breaches occurred, including high-profile cases involving large tech companies like Tokopedia and Bukalapak, loan provider KreditPlus, as well as Indonesia’s general elections commission (KPU).