It has come to light that the personal information of almost 35 million Indonesian passport holders has been made available for purchase on the dark web for $10,000 by a notorious hacktivist known as Bjorka. This individual has a history of criticizing the Indonesian government and publishing damaging information about lawmakers on social media. Indonesian security researcher Teguh Aprianto has revealed on Twitter that the hacker has put up for sale Indonesian passport holders' details, including their full name, birthdate, gender, passport numbers, and passport validity dates. The government is currently investigating a possible breach of the Directorate General of Immigration's network.
According to Bjorka, the compromised passport data includes names, passport numbers, passport expiration dates, gender, and passport issuance dates. Screenshots from the dark web show Bjorka, using the username Bjorka, offering the entire dataset of 34 million Indonesian passport data for Rp 150 million (US$10,000). The compressed and uncompressed versions of the file are said to be approximately 4 GB each, with a total of 34,900,867 files.
The Ministry of Communication and Informatics, known as Kominfo, is investigating reports of the alleged theft of the personal information of 34.9 million Indonesians. Director-General of Informatics Applications Semuel A. Pangerapan has stated that the ministry "had not been able to conclude that there had been a massive leak of personal data as suspected." Pangerapan has said that Kominfo will conduct an in-depth investigation into the reported data leak and publish its findings as soon as possible. The ministry is working with the National Cyber and Crypto Agency, the Directorate General of Immigration, and the Ministry of Law and Human Rights.
Cyble, a threat intelligence company, has stated that Indonesia is one of Southeast Asia's highest-targeted nations for cyberattacks, experiencing over 11 million attacks in the first quarter of 2022 alone.
Cybersecurity expert Alfons Tanujaya, founder of Vaksincom, a network security protection service, has commented on the validity and limited nature of the leaked data. In an interview with Tekno Liputan6.com, Alfons stated that the leaked data is likely valid due to the presence of the National Identity Card Identification Number (NIKIM), which is exclusively held by the Directorate General of Immigration. Despite the limited types of data leaked, Alfons warned that the information can still be used to identify individuals.
The Director-General of Immigration at the Ministry of Law and Human Rights (Kemenkumham), Silmy Karim, has confirmed that an investigation into the alleged data breach is underway. “We are currently investigating the validity of the leak,” Silmy Karim stated via a text message to Liputan6.com. Silmy further revealed that the immigration data centre currently utilizes the National Data Center (PDN; Pusat Data Nasional) of the Ministry of Communications and Informatics (Kominfo). They are collaborating with the National Cyber and Encryption Agency (BSSN; Badan Siber dan Sandi Negara) and Kominfo to investigate the matter.
The persisting issue of data breaches in Indonesia highlights the urgency to fortify data protection measures. Semuel Abrijani Pangerapan, Director-General of Informatics Applications at Kominfo, has revealed that between 2019 and 2023, the ministry has addressed a total of 94 data breach cases. Notably, the number of data breaches spiked by 75% in 2023, accounting for 35 cases. As of June 2023, Kominfo has already handled 15 data breach incidents.