JAKARTA – Indonesian legislators have finally passed the country’s first personal data protection law, but despite being labeled a historic moment, critics already point to worrying loopholes and question whether it will change a bureaucratic culture that largely ignores cybersecurity measures.
The passage of the legislation follows a series of digital attacks, including one incident where data on more than a billion registered Indonesian SIM cards were stolen and another where a hacker, known as Bjorka, tried to sell letters and documents purportedly sent by and to President Joko Widodo.
Other recent data breaches also involved the General Elections Commission (KPU), the Ministry of Communication and Information, state-owned power utility Perusahaan Listrik Negara (PLN), telecommunications giant Telkom and BPJS, the country’s healthcare and social security agency.
“The ratification … will be a milestone for Indonesia in protecting the personal date of its citizens from all forms of crime in the digital age,” Parliament Speaker Puan Maharani said in a September 19 statement, lauding a law which had been six years in the making.
The legislation mainly contains procedures for processing personal data, administrative sanctions for violations and criminal charges for data breaches. Yet experts say while it is better than nothing the legislation doesn’t go nearly far enough to rein in rampant cyber-leakages.
The new law requires data controllers and processors in the public and private sectors to seek permission to collect and share information and to provide users information on how and why they intend to use the data. They will also be given two years to ensure the security of data by establishing firewalls and encryption systems.
In the case of any data protection failure, the data processor will only need to provide a written notification no later than 72 hours to the data owner and face sanctions such as written warnings, temporary suspensions and fines of up to 2% of annual income or revenues.
Criminal penalties for personal data breaches are not considered tough enough to act as a deterrent. The maximum jail time for offenders varies from four to six years, with a maximum fine of between 4-6 billion rupiah (US$266,000 to $399,000) and additional compensation payments.
Much of the long delay in passing the bill centered on the status of an oversight agency. In the end, legislators came to a compromise under which the role of the body is outlined in general terms in the law, with the actual design being left to the executive branch.
Critics worry that if the president ultimately decides the agency will fall under the supervision of the communications ministry, it will treat violators from government ministries and other institutions differently from those in the private sector.
“There have to be equal sanctions,” says one Indonesian cyber researcher, speaking off the record. “The government could just deny it was responsible and the private sector would be made the scapegoats.”
Although the Widodo administration is noted for bringing younger and better-educated recruits into key ministerial advisory roles in recent years, new-generation IT specialists are disdainful of legislative efforts to tackle an increasingly serious issue.
As one put it: “None of the drafters are people who understand information systems, system security and privacy laws – the three basic elements of data protection law. Who drafted it? Politicians and old bureaucrats who know nothing but lining their pockets and colluding with the private sector.”
The cyber expert gave the government two out of ten for its cybersecurity measures, pointing out that most ministries pay little serious attention to setting up mitigation systems to protect data.
It is generally accepted that many institutions that manage sensitive data only meet specific standards for audit purposes, but fail to upgrade their security systems or implement best possible methods to ward off hackers.
Representatives of major multinational technology companies, who have strict rules at their own facilities, also find fault with the physical security at data centers in commercial buildings around Jakarta. Remarked one executive: “They just don’t have the same standards as ours.”
Indonesia’s National Cyber and Encryption Agency (BSSN) reported 88.4 million cyberattacks between January and February 2020, rising to 423.4 million by the end of that year, more than half of them the result of trojan activity.
The BSSN said the number of so-called “traffic anomalies” rocketed to 1.6 billion in 2021, with 62% of those attributed to malware, followed by trojan and phishing attempts.
According to Techwire, attacks on Indonesian financial services institutions were 252% above the global average in the past six months, or an average of 2,730 a week, which experts put down to the fact that Indonesian hackers are more successful on home ground.
Mobile banking platforms and applications are at the greatest risk. Only last December, Bank Indonesia (BI), the central bank, reported a ransomware attack had affected its network, but claimed it had been prevented from disrupting the bank’s operations.
Conti, an operation linked to the Wizard Spider Russian cybercrime group, claimed responsibility for the attack after leaking some non-critical data belonging to BI’s employees and threatening to release more if a ransom wasn’t paid.
Previously, in May 2021, hackers obtained the ID numbers, salary information and phone numbers from data stored on a server used by BPJS Kesehatan for its health insurance program, encompassing the entire 279 million-strong population.
Bjorka has been active since 2020, most recently stealing sensitive files containing the personal information of 105 million voters registered with the KPU, which will manage the February 14, 2024, presidential and legislative elections.
Initially, he appeared to be trying to sell the information, but recent tweets on his Twitter account @Bjorkanism have suggested he has now shifted to a higher mission with a political agenda, which tends to identify him as an Indonesian activist.
“I just wanted to point out how easy it is for me to get into various doors because of poor data protection policies, especially if it is managed by the government,” he said. “Nothing will change if fools are still given a lot of power.”
“The supreme leader in technology should be assigned to someone who understands, not a politician and not someone from the armed forces because they are just idiots,” he tweeted in an apparent reference to communications minister Johnny G Plate, a member of the National Democrat Party.
On September 14, police cyber investigators claimed to have arrested a young man they suspected was Bjorka in the East Java city of Madiun, but little has been revealed since then to indicate they had the right culprit.
Four days later, Widodo summoned security officials to question them over reports that Bjorka had managed to gain access to confidential government documents – including an exchange of messages with the State Intelligence Agency (BIN).
