Purely Hacked, Here's A List Of Any Data That Was Successfully Hacked From BRI Life Customers
JAKARTA - For the umpteenth time, people in the country are again shocked by the news of the leak of personal data. Cyber crime monitoring company Hudson Rock said on its Twitter account that BRI Life customers had been victims of the data leak.
In the screenshot uploaded by @Hrock, you can see that there are many domains and subdomains of BRI whose data is taken. Cybersecurity expert Pratama Persadha explained that when he checked on the raid forums, an account named Reckt had uploaded a sample of the data he was selling, but a few moments later it was deleted.
The account is reported to have sold a customer database of more than 2 million BRI Life Insurance customers and scanned documents of more than 463 thousand. Pratama explained, the database has insurance policy pins, complete details about customers who use BRI Life insurance, total benefits, total period of years.
There are also ID cards, family cards, NPWP, photos of bank account books, birth certificates, death certificates, agreement letters, proof of transfers, financial evidence, proof of health certificates such as EKG, diabetes and others.
We identified multiple compromised employee computers of BRI Life and Bank Rakyat Indonesia which may have helped the hacker obtain an initial access to the company.Learn how to use Cavalier to protect your organization from this attack vector -https://t.co/slsshxX51N pic.twitter.com/EjfdpPHdGr
— Hudson Rock (@HRock) July 27, 2021
“There are as many as 463,519 document files with a size of up to 252 GB and there is also a database file containing 2 million BRI Life customers with a size of 410MB. For the self-sample given the size of 2.5 GB contains many document files. The two complete files are offered at a price of 7,000 US dollars equivalent to Rp. 101 million and are paid for in bitcoin," said Pratama in an official statement received by VOI, Wednesday, July 28.
Not only that, there are also account mutation data, proof of transfer of insurance deposits, there are also screenshots of customer WA conversations with BRI Life employees, insurance registration documents, several self-declaration and commitment forms, even complete with life insurance policies.
"This means that from Hudson Rock's claim as the party who informed the leak and the perpetrator of the data seller, it is most likely true. That the data they claim does contain various data from BRI Life customers," explained Pratama.
Primary added of course this is a serious concern. If you look at the screenshot shared by Hudson Rock, it's clear that the data was taken due to a site breach. It can be seen how the BRI Life sites are mentioned, even with their username or account login, password and IP.
“Digital forensics needs to be done to find out which security holes are used to break through, whether from the SQL (Structured Query Language) side so that SQL Injection is exposed or there are other security holes. Such as the compromise of a BRI Life account which also has the potential for hackers to enter into the system," said Pratama.
According to Pratama, from this it can also be concluded that the source of the data leak was the result of hacking, not the result of buying and selling data from internal parties or employees. Therefore, Pratama stressed to the government to immediately ratify the PDP (Personal Data Protection) Law, as long as it has a really strong article and aims to secure public data.
Preferably, Pratama asks for the strengthening of the system and human resources must be improved, the adoption of technology mainly for data security also needs to be done. Indonesia itself is still considered vulnerable to hacking because cybersecurity awareness is still low. Most importantly, a PDP Law is needed that can act decisively and strictly as in Europe. This is the main factor, many major hacks in the country target the theft of personal data.
“Data leaks in Indonesia are critical, like this, the Government and the DPR should agree to pass the PDP Law. Without a strong PDP Law, personal data managers, both state and private institutions, will not be able to be further held accountable and will not be able to force them to improve their technology, human resources and information system security," said Pratama.
Meanwhile, a spokesman for the Ministry of Communication and Information (Kemenkominfo) Dedy Permadi stated that until now his party is still investigating the data leak.
"Until now, the investigation is still ongoing and the results cannot be concluded," said Dedy.