Leakage Of 896 CreditPlus Customer Data Alerts The Importance Of The PDP Bill

personal data security illustration (Pixabay)

JAKARTA - Another case of data leakage occurred, this time experienced by the fintech company KreditPlus. It is suspected that around 896 leaked personal data of KreditPlus users were traded on hacker forums.

The leaked data includes name, KTP, email , password , address, cellphone number, job data, and family data of the guarantor. Cybersecurity activist Teguh Aprianto discovered the findings of this KreditPlus customer data, who then shared them on his personal Twitter page.

896 thousand data belonging to KreditPlus were leaked and sold. The leaked data includes:

- Name

- ID CARD

- Email

- Password

- Address

- Mobile phone number

- Employment data

- Data of the guarantor's family

KreditPlus itself is a financial company registered and supervised by @ojkindonesia . pic.twitter.com/wQILwthye1

- Teguh Aprianto (@secgron) August 3, 2020

KreditPlus itself is a multi-use financing service for motorbikes, cars, and heavy equipment owned by PT Finansia Multi Finance, and was founded in 1994. This financial company has also been registered and directly supervised by the Financial Services Authority (OJK).

Although recently, the thread that listed the leaked data on sales of the KreditPlus customer database has since been deleted. Cybersecurity observer from CISSReC, Pratama Husada, said that the leakage of CreditPlus customer data had been shared since last 16 July.

Waiting for the Personal Data Protection Act

The database is stored in a download file of 78MB which still needs to be extracted to get 430MB of KreditPlus customer data. These files contain 819,976 customer data complete with some other sensitive data which is very dangerous, if used for fraud and other crimes.

"The main problem in this country is that there is no law that forces these electronic system service providers to fully secure the public data they collect. So that all data which should be encrypted can still be seen with the naked eye, "Pratama explained in a press statement received by VOI , Tuesday, July 4.

In this case, the state has the responsibility to accelerate the discussion of the Personal Data Protection Bill. Later in the law, it should be stated that any electronic transaction system service provider (PSTE) that does not secure public data can be sued for compensation and brought to court.

He gave an example, several countries in Europe have implemented the consumer data protection regulation General Data Protection Regulation (GDPR). Where every data collected must be secured with encryption and if proven negligent, the service provider could be subject to prosecution of up to 20 million euros in fines.

"You can imagine if this credit surplus is abroad, it could be subject to negligence articles in the GDPR. It is the same as the data leakage incident that has occurred in the country before," explained the man who is also a graduate lecturer at the State Intelligence College (STIN).

Therefore Pratama asked the government to immediately accelerate the discussion of the Personal Data Protection Bill so that cases of data leakage like this can be investigated thoroughly and the security of people's personal data can be guaranteed.

It is the choice for technology providers to protect all data so that it is encrypted. Offline data must also have a security model that is no less stringent.

"To prevent repeated data theft, it is necessary to hold a penetration test and also a bug bounty. Each PSTE can provide a decent reward to each party who finds a security hole in their system. This is often done by Apple, Google, FB, Amazon and other technology giants, ”he explained.

Tracing the leakage of KreditPlus customer data (doc. CISSReC)

The recurring incidents of data theft should encourage Kominfo and BSSN to go to the field more frequently to conduct education and force PSTE to build a better system, especially in protecting customer data or their platform customers. Because this cyber security will be one of the things that investors use to do business in the country.

"Before service owners can secure their users' personal data, we must also be able to secure our own personal data. For example, for those who create a good and strong password , activate two factor authentication . Install anti-virus on every device used, don't use free WiFi, don't open unknown and suspicious links, as well as other standard safeguards, "explained Pratama.