Recent data breaches and the attempted sale of customers’ private data have once again highlighted the dire need for Indonesia to draft specific data protection legislation.

In the latest case, the personal details of up to two million clients of BRI Life, the insurance arm of state lender Bank Rakyat Indonesia (BRI), were exposed on the internet and advertised for sale by unidentified hackers.

The breach was reported by Alon Gal, chief technology officer of cybercrime intelligence firm Hudson Rock, on his Twitter account @UnderTheBreach on July 27. In his tweet, he posted screenshots of an online forum thread showing the attempted sale of up to 250 gigabytes of BRI Life’s customer data, including details on insurance policy statements and copies of ID cards.

The seller reportedly offered the data for about 100 million rupiah ($7,000).

Reuters reported that Hudson Rock had found evidence that showed that the breach was likely made possible due to compromised employee computers at both BRI Life and BRI.

BRI Life corporate secretary Ade Ahmad Nasution said the hacker had gained access to the BRI Life Sharia Insurance data system, which held the details of around 25,000 individual sharia insurance policies, but added that it did not affect the data of other companies within the BRI group.

“This incident had no effect on other BRI customers and other companies within the BRI group,” Ade said on July 29 as quoted by Kontan.

BRI Life’s board of directors were summoned by the Ministry of Communications and Information to give their accounts of the incident. In a statement, ministry spokesperson Dedy Permadi said the ministry would continue to follow up the case and provide support to BRI Life to strengthen its data-management system.

Institute for Policy Research and Advocacy (Elsam) executive director Wahyudi Djafar has called on the government to provide a complete audit report to the public over the alleged BRI Life data breach, as well as other breaches in the past.

“We need complete reports of data breach investigations, which should also contain mitigation and preventive measures to make sure that similar incidents will not recur,” Wahyudi told the Jakarta Post on July 29.

In May, the private information of over 200 million Indonesians managed by the Health Care and Social Security Agency (BPJS), was leaked and was put up for sale on an online hacking forum.

Homegrown e-commerce platform Tokopedia, now part of GoTo group, also found its internal database had been breached in May last year, compromising the private data of up to 15 million users.

The breach served as a grim reminder about the vulnerability of Indonesians’ private data on the internet, with the government and the House of Representatives still at loggerheads over the deliberation of the long-awaited data protection bill (RUU PDP).

The bill was included in this year’s national legislative programme (Prolegnas), but its deliberation has been slow as the government and lawmakers are still not on the same page regarding the design of a data protection agency.

The government has proposed that the agency be established under the Ministry of Communications and Information, borrowing from similar arrangements in Singapore and Malaysia, but members of House Commission I overseeing defence, foreign affairs, information and intelligence, have insisted that the agency be independent of the government.

Commission I deputy chair Abdul Kharis Almasyhari said the government and lawmakers were still unable to resolve the deadlock, saying that there had been “no developments” in the deliberation of the bill.

He said the deadlock over the data protection agency had consumed the government and lawmakers’ attention, noting that there were 228 points listed in the bill’s problem inventory list (DIM) that had yet to be discussed because the government and the House had been unable to find a solution to the deadlock.

The House is currently in recess and is scheduled to resume on its duties August 16.

THE JAKARTA POST/ASIA NEWS NETWORK