ANN/THE STRAITS TIMES – Indonesia’s newly formed privacy task force is hunting a hacker behind a series of data leaks related to 1.3 billion registered mobile phone numbers and 105 million voters and a log of the president’s correspondence, among other things.
The hacker, who goes by the pseudonym Bjorka and claims to be based in Warsaw, Poland, has a history of selling stolen data, including that of Indonesian state-owned companies, mobile operators and general election commissions, on hacking forum BreachForums for a few weeks.
Bjorka also leaked a log of incoming and outgoing confidential documents between President Joko Widodo and state intelligence.
The hacker also released personal details of public figures such as Luhut Pandjaitan, Coordinating Minister for Maritime Affairs and Investments, and Johnny G Plate, Minister for Communications and Informatics. The leaked details included phone numbers, identity numbers and vaccine numbers.
The day after a senior IT applications executive urged Bjorka to stop sharing Indonesians’ personal data at a Sept. 5 press conference, the hacker boldly urged the government to “stop being an idiot” in a BreachForums post. .
Speaking on Twitter, Bjorka also said those investigating the hacker didn’t know where to start looking and taunted public figures like State-Owned Enterprises Secretary Erick Thohir, urging him to lower his presidency hopes to give up.
At least three of Bjorka’s Twitter accounts have been suspended.
Coordinating Minister for Political, Legal and Security Affairs Mahfud MD last Wednesday urged the public to remain calm, claiming that no major systems had been hacked and no state secrets had been revealed.
The leaks “only concerned general data on the President’s correspondence. So far, its content has not been leaked,” he said.
He added that authorities identified Bjorka and the hacker’s location using “tools that can track all this stuff.”
Shortly after the data protection task force was formed last Wednesday, police interrogated a 23-year-old man, identified by the initials MAH, in the Madiun regency of East Java, where he is selling drinks at a traditional market, Tempo reported.
Police have not confirmed if he is Bjorka and the task force is investigating the recent incidents.
Indonesia, home to a booming digital economy, has seen massive data breaches involving government agencies and private companies since 2019.
One major incident involved the leaking of social security data — including ID cards and family cards — of over 200 million citizens in the Health and Social Security Administration’s database in May last year.
This is a top-tier breach, experts said, criticizing the lack of adequate responses to previous breaches.
“The data leaked by Bjorka is actually lower in quality and quantity than what was previously leaked,” digital forensics expert Ruby Alamsyah told The Straits Times (ST). “But thanks to the hacker, the personal data leaks have received a huge spotlight.”
He noted that prior to BreachForums, Bjorka had been selling leaked data from other countries at RedForum, one of the largest dark web targets for stolen data, which was shut down by the United States Department of Justice in April.
The chief executive of Jakarta-based Digital Forensic Indonesia Ruby stressed that instead of just focusing on the latest data breach, the task force should also investigate similar leaks since 2019 and at least draw “lessons from previous cases” to avert similar incidents the future.
“It’s better for the task force to improve data management. Relevant institutions have only denied data leaks in recent years and have not improved their data protection, which is why data leaks have occurred again and again,” Alfons Tanujaya, IT security specialist at Vaksincom, told ST.
“If Bjorka is arrested but the data continues to be leaked, other Bjorkas will exploit the hacked data within three to six months.”
Parliament is expected to pass the Personal Data Protection Act within a month, said Dr. Mahfud.
If the law passes, government institutions and private companies will be pushed to improve their cybersecurity, both Ruby and Alfons said. Because data leaks result in fines and criminal sanctions.
“Logically, due to the fine and sanctions, all parties will be well prepared and ensure their cybersecurity is better than in the past and data leakage can be averted,” Ruby said.
“If there is a leak, the public can demand accountability and compensation because there is a valid legal basis.”