Personal data breaches at ISP IndiHome (owned by state-owned telecoms firm PT Telkom Indonesia) and state utility PT Perusahaan Listrik Negara (PLN) are being investigated by the Indonesian government.
This comes after reports that over 26 million pieces of data amounting to 5GB had been leaked from IndiHome’s database to a site in the dark web. The data reportedly includes information such as browsing history, dates and keywords used.
However, a representative from Telkom told Reuters that there had been no data breach.
According to a recent statement from senior communications ministry official Semuel Abrijani Pangerapan, the government called for a meeting with Telkom and PLN executives and issued directives on data protection to both companies.
“The Ministry of Communication and Informatics will soon issue technical recommendations to improve the implementation of protecting Telkom’s personal data, and at the same time coordinate with the National Cyber and Crypto Agency (BSSN),” said Pangerapan.
Indonesia under cyber attack
Data security has become a major concern in Indonesia in recent years, with a number of high-profile cases of companies losing customer data due to lax security practices. This includes a data breach of the COVID-19 screening app which allowed access to President Joko Widodo’s vaccine records. Those records were subsequently circulated widely on social media platforms in September of last year.
In a recent study by PwC, data theft was identified as one of the most common types of cybercrime in Indonesia. Since pre-pandemic times, companies and the government have been taking steps to improve cybersecurity in the country. The study says that over 80% of Indonesian companies surveyed in February 2020 increased their cybersecurity spending over the previous year. Furthermore, a draft law on resilience and cybersecurity has been in the works since 2019 and is expected to be enacted soon.
Cybersecurity strategy needed
Recently, the Governor of the Indonesian National Resilience Institute (Lemhannas) Andi Widjajanto stressed the importance of a Cybersecurity Act, especially as Indonesia’s cybersecurity ranking remains low.
The National Cyber Security Index (NCSI) placed Indonesia in the “poor” category with a score of 38.96%. This is below the global average, which stands at 42.71%. In particular, Indonesia scored below the global average on eight NCSI cybersecurity capacities: policy, threat, education, global contribution, digital services, essential services, personal data and crisis management.
Widjajanto said that the government is currently working on a national cybersecurity strategy, which is expected to be completed soon. He added that the strategy will be officially issued by the President.