Failing to Protect PDN Data, Government Violates PDP Law
JAKARTA – The National Data Center (PDN) experienced a cyber attack since Thursday 20 June and has not fully recovered. Despite trying to restore the data, the government, in this case the team from the Ministry of Communication and Information, BSSN, Polri and also Telkom as the PDN manager, finally admitted that they had failed to recover the data stored on the PDN.
"We are working hard to recover the resources we have. What is clear is that data that has been affected by ransomware cannot be recovered. "So now we are using the resources we still have," said Telkom's Director of Network and IT Solutions, Herlan Wijanarko, last Wednesday, June 26.
According to the Director of ELSAM, Wahyudi Djafar, the hacking of PDN and the data breach of a number of agencies shows that the protection system implemented by the government is very vulnerable, and must be repaired according to legal standards.
"Various cases of alleged personal data breaches, in the form of attacks on data confidentiality, which have resulted in the disclosure of a number of data elements managed by government data controllers, further emphasize the vulnerability of the data protection systems they implement," he said, Monday 1 July 2024.
He revealed that in the midst of efforts to recover the Temporary PDN due to a ransomware attack, a number of government agency data was being peddled by hackers through a special site. A number of agencies suspected of experiencing data breaches were the Directorate General of Civil Aviation (employee data and photos, usernames and passwords for all applications, drone pilot certification participants, and flight data).
Another institution whose data was leaked by hackers is the Employment Social Security Administration (BPJS), which includes the names and dates of birth of BPJS Employment participants, email addresses, telephone numbers, age groups, addresses, postal codes.
Then the hacker also admitted to stealing data from the TNI's Strategic Intelligence Agency (BAIS), the Indonesian Police's Indonesia Automatic Fingerprint Identification System (INAFIS) (which includes sensitive fingerprint photo data), the Denpasar City Government, and the Semarang City Government.
Government Data Protection Does Not Comply with Legal Standards
Although it is not yet known whether the source of the data for a number of agencies came from the PDN Temporary hack or something else, the management of this data involves personal data controllers from the public sector managed by the government.
Wahyudi emphasized that if the government is negligent in managing and ensuring data protection, it will be the same as violating the Personal Data Protection Law (PDP). This is because Law Number 27/2022 concerning Personal Data Protection also applies bindingly to all public data controllers, including implementing all compliance standards.
"The government as a data controller is obliged to be responsible and comply with the law, ensure the security of data processing, record data processing activities, maintain data confidentiality, provide notifications if a violation occurs, and carry out an assessment of the impact of data protection," he explained.
Wahyudi stated, because it is a mandate in the PDP Law, the government should take technical and organizational steps to ensure compliance. Apart from that, the government must also move quickly to take strategic steps following the ransomware hacking of Temporary PDN, and the alleged data breach of a number of institutions, so as not to disrupt the implementation of the Electronic Based Government System (SPBE).
He said that the vulnerability of protecting citizens' personal data managed by public institutions is not only related to the large risk of disclosure of that data. But it can also have an impact on integrity and even loss of data, as happened in the case of the Temporary PDN hack.
Cyber attacks, continued Wahyudi, can threaten the confidentiality, integrity and availability of data. In fact, creating a PDN is at the core of public and government data security goals.
"If comprehensive improvements are not carried out immediately, it is feared that the risks and threats to residents will get worse, mitigation will become more difficult, and of course it will result in significant economic losses," he said.
He gave an example, in 2019 the South Korean government had to spend up to 650 million US dollars to handle hacking of public data. This large budget was disbursed to change the identities of 50 million South Korean citizens as a result of 20 million of its citizens being victims of a data breach in 2014.
Cyber security expert from the ITS Smart City and Cyber Security Laboratory, Ridho Rahman Hariadi, the government's failure to protect data in the Temporary PDN not only threatens large institutions, but also has an impact on the wider community.
Threats to society can include loss of personal data such as photos, documents, and financial information infected by ransomware. Attackers can steal sensitive data and threaten to publish or sell it if a ransom is not paid.
“Apart from that, perpetrators can also attack social media accounts and banks to gain certain profits. "This will definitely bring inconvenience and potential danger to the community," he said.
Ridho suggested that the government strengthen cooperation with educational institutions and research institutions to develop solutions and overcome future attacks. Including through training programs, seminars and research, to strengthen national cyber resilience.
Through these steps, it is hoped that ransomware attack incidents can be minimized and national cyber resilience can be increased. The reason is, these two things are very crucial in protecting public data and services that are important to society.
"Awareness of the importance of cyber security must continue to be increased, both among the government, private sector and the general public, to ensure that critical data and systems remain protected from ever-growing threats," stressed Ridho.
Data Protection is a Joint Task of Organizers and Users
Minister of Communication and Information, Budi Arie Setiadi stated that cyber security, including data protection, is a joint task of all stakeholders. Because there are at least three aspects related to security guarantees in the implementation and use of PDN that must be of joint concern between PDN service providers and users.
"There are three aspects that must be paid attention to by PDN organizers and PDN service users, which are abbreviated as CIA, namely aspects of confidentiality, integrity and availability of data and information," he explained.
In the aspect of confidentiality, PDN has implemented physical security to IT security at the hardware, network and cloud system levels. The implementation of this security also refers to several international standards, namely ISO 27001, including physical security by requiring access to the data center through several layers of screening, such as collecting access data at the entrance gate to entering the data center room by registering again to gain access to the data center room. and server racks that will be addressed with an electronic ID card + fingerprint, installation of devices such as network firewall, Web Application Firewall, AntiDDOS, Automatic Vulnerability, File Integrity Monitoring, Email Security, Network Antivirus, and SIEM, security at the Operating System, Management Platform level, Application Management, and Data Management because PDN service users use IaaS (Infrastructure as a Service) services, namely the use of VPS/Virtual Machines and data management, especially strategic and confidential data.
"In the aspect of authenticity, PDN service users must also anticipate hacking of data and information, by implementing security in applications such as implementing anti-SQL injection, Cross-Site Scripting (XSS), Phishing, Social Engineering, Insider Threat, etc. so that the authenticity of information conveyed in the website is maintained," said Budi Arie.