Personal Data Leaked From BPJS, Experts Suggest Government Cooperates With State Cyber and Code Agency Forensic Digital Audit

JAKARTA - Cybersecurity expert, Pratama Persadha, asked all parties to wait for official information on whether 270 million leaked Indonesian data came from BPJS Kesehatan. While ensuring the possibility of forensic digital.

"When checked, this sample data of 240MB contains a residence identity number (NIK), mobile number, address, email address, Taxpayer Identification Number (NPWP), place of birth date, gender, number of dependents and other personal data that even the data spreader claims there are 20 million data containing photos," Pratama said in a statement, Friday, May 21.

Chairman of cyber research institute CISSReC (Communication &Information System Security Research Center) said in the downloaded file there is NOKA data or BPJS Kesehatan card number. According to the perpetrator's claim, he has file data of 272,788,202 million people.

However, Pratama found it strange that Kotz's account claimed to have more than 270 million similar data, whereas the member of BPJS at the end of 2020 is 222 million.

"From the BPJS Kesehatan number in the file when checked online it turns out that the data is the same as the name in the file. So it is most likely that the data comes from BPJS Kesehatan", he explained.

Pratama said that data from leaked files can be used by criminals by committing targeted phishing or other types of social engineering attacks.

"Although in the file is not found very sensitive data such as credit card details but with some personal data that exist, for cybercriminals is enough to cause damage and real threats", explained Pratama.

- https://voi.id/berita/53082/viral-ayah-aniaya-anak-kandung-di-tangsel-dipicu-cemburu-buta

- https://voi.id/berita/53091/orang-tua-di-tangsel-ngaku-aniaya-anaknya-dua-kali-polisi-kami-dalami

- https://voi.id/berita/34785/risma-setop-santunan-kemensos-rp15-juta-bagi-korban-meninggal-akibat-covid-19

- https://voi.id/berita/35129/dprd-dki-kritik-anies-baswedan-yang-janji-bikin-1-8-juta-sumur-resapan-sampai-hari-ini-paling-cuma-15-ribuan

- https://voi.id/berita/35357/kasus-penistaan-agama-4-petugas-rs-di-sumut-yang-mandikan-jenazah-perempuan-disetop-kejaksaan

- https://voi.id/berita/35307/4-petugas-rs-di-pematang-siantar-tersangka-kasus-memandikan-jenazah-perempuan-berstatus-tahanan-kota

- https://voi.id/berita/35190/kerumunan-warga-ntt-demi-bertemu-jokowi-epidemiolog-tim-kepresiden-harusnya-antisipasi

- https://voi.id/berita/35067/jokowi-disambut-kerumunan-di-ntt-istana-itu-spontanitas-presiden-mengingatkan-warga-pakai-masker

- https://voi.id/berita/35295/stafsus-

Furthermore, Pratama explained, criminals can combine the information found in the leaked CSV file with other data breaches to create detailed profiles of their potential victims such as data from leaks Tokopedia, Bhinneka, Bukalapak, and others.

With such information, he said, criminals can carry out phishing attacks and social engineering that is much more convincing for the victims.

"Clearly no system is 100% secure from hacking threats or other forms of cyberattacks. Because it is aware of this, it is necessary to create the best system and run by the best and competent people to always be able to do security with high standards", said Pratama.

Pratama added that this kind of incident should not happen to the data collected by the state.

"From now on, all government agencies must work with BSSN (State Cyber and Code Agency) to conduct a forensic digital audit and find out which security holes exist", he said.

According to him, this step is very necessary to avoid data theft in the future. The government is also obliged to conduct system testing or Penetration Test periodically to all systems of government agencies.

"This is a preventive measure so that from the beginning there can be weaknesses that must be fixed immediately", Pratama said.

He also assessed, strengthening the system and human resources should be improved, the adoption of technology mainly for data security also needs to be done. Indonesia itself is still considered vulnerable to hacking because cybersecurity awareness is still low.

Most importantly, he continued, it takes a Personal Data Protection law that is as strict and strict as in Europe. This is a major factor, many major hacks in the country targeting the theft of personal data.

"In principle, this personal data is the target of many people. It is very dangerous when it is true that this data was leaked from BPJS. Because the data is valid and can be used as raw material for digital crime, especially banking crimes. From this data can be used by criminals to create fake ID cards and then break into the victim's account", said Pratama.

"Of course we do not want this incident to repeat itself, therefore the Personal Data Protection Law is indispensable, as long as it has a really strong article and aims to secure public data", he added.

As reported, there is an alleged leak of personal data of Indonesian people. One million personal data that is likely to be data from BPJS Kesehatan is uploaded on the internet.

Kotz account provides free download access to 240 MB of files containing one million Indonesian personal data.

The file was shared on May 12, 2021, and this week it has been a lot of public attention. The account claims to have more than 270 million other data sold for $ 6,000.