A recent alleged police data breach shows that not only is the Indonesian general public susceptible to having their data stolen and traded online amid the absence of data protection laws, but also law enforcement officials.

In a Twitter post on November 17, user @son1x777 claimed to have hacked into the National Police system and stolen the personal data of thousands of police officers, from their dates of birth to badge numbers. By November 20, the account had been suspended for violating Twitter rules.

National Police spokesman Inspector General Dedi Prasetyo has said that the police were still looking into the alleged data breach, kompas.com reported.

Wahyudi Djafar from the Institute for Policy Research and Advocacy (Elsam), which has been advocating for personal data protection laws for years, said the police must act fast to mitigate further data leakages and identify security vulnerabilities in their system.

“The police must also notify the subjects [police personnel] whose data has been compromised,” Wahyudi told the Jakarta Post.

He said the alleged incident underlined the urgent need for the personal data protection bill to be passed into law, which will provide guidelines for law enforcement agencies to impose stern penalties against the illegal use of personal data.

The bill’s deliberation at the House of Representatives has been slow due to a lack of consensus among the government and lawmakers over the design of a data protection agency.

House Deputy Speaker Sufmi Dasco Ahmad from the Gerindra Party previously said lawmakers would see to it that the bill was passed into law during the current sitting period, before lawmakers go into recess in mid-December.

Pratama Persadha from think tank Communication and Information System Security Research Center (CISSReC) found two different sets of leaked information, including data related to internal police investigations on alleged police misconduct.

“There is a possibility that the attack was a form of hacktivism that will help the hackers build a reputation or introduce them to the world,” Pratama said.

He noted several other past cyberattacks on the police, including website defacement and hacking. He said another set of data on police personnel was currently still up for sale on online hacking forum RaidForums by an account with the username Stars12n.

The alleged police data breach occurred only weeks following cyberattacks on state agencies last month – one related to the National Cyber and Encryption Agency (BSSN) and another that puts child victims of abuse at risk.

The latter centred on the hacking of the Indonesian Child Protection Commission’s (KPAI) database of the personal information of people who had filed reports on alleged child abuse cases, like bullying, kidnapping, violence against children and rape.

The breach also exposed the names of the children and their guardians, as well as ID card numbers, mailing and email addresses and phone numbers of the persons who reported the alleged abuse.

“Low cyber security awareness is also one of the reasons why government websites often become targets of hacking,” Pratama said, urging policymakers to immediately enact the data protection bill.

A member of the House Commission I overseeing defence, foreign affairs, information and intelligence, Irine Yusiana Roba Putri from the Democratic Party of Struggle (PDI-P), said policymakers could not wait for another data breach to get serious about deliberating the data protection bill.

“We need to have proper regulations and competent regulators so the personal data of citizens and those managed by state institutions can be properly protected,” Irine said.