Leakage PeduliLindungi Valid Data? Here's The Expert Response

Illustration of users of the Pedulilindungi application (photo: dock. Antara)

YOGYAKARTA - Hacker Bjorka is acting up again by leaking 3.2 billion data on users of the PeduliLindung application. The PeduliLindung data leak was uploaded on Tuesday, November 15, 2022 morning by members of the beached.to site forum with the identity name Bjorka.

Previously, Bjorka also leaked 44 million MyPertamina user data including name, email, NIK, Taxpayer Basic Number (NPWP), telephone number, address, gender, income, and others.

Originally, Bjorka had given a signal that he would hack PeduliLindung, when he leaked MyPertamina data on November 10 on his Telegram channel.

Chairman of the Indonesian Cyber Research Institute CISSReC Dr. Pratama Persadha said the PeduliLindung data leaked by Bjorka was completely valid and recorded in population data.

Bjorka sold 3.2 billion PeduliLindung data at a price of 100,000 US dollars or around Rp. 1.5 billion. Buy and sell transactions are carried out in Bitcoin currency.

"The data is divided into user data, vaccination data, tracking history, and history of checking in application users by providing data samples," said Pratama, quoted by VOI from ANTARA, Thursday, November 17, 2022.

Pratama explained, Bjorka shared the data on Tuesday morning through a brached.to. Before uploading the data, Bjorka had promised to leak the PeduliLindung application to the public after the MyPertamina application.

He added that the PeduliLindung data sold by Bjorka includes name, email, population identification number (NIK), identity card number (KTP), telephone number, date of birth, device identity, COVID-19 status, check-in history, contact tracing history, vaccination, and many other data.

Data claimed by Bjorka, said Pratama, is 3,250,144,777 data with a total size of 157 gigabits if it is not compressed.

It was also stated that the sample data was divided into five files, namely 94 million user data, 94 million accounts that have been sorted, 209 million vaccination data, 1.3 billion check-in history data, and 1.5 billion contact tracing history.

When the data shared by Bjorka was checked using the ID card number checking application, Pratama revealed that the data was actually valid in the population data.

"If further examined of the data sample, there are many location coordinates that coincide with the PeduliLindung check-in feature in public places," said this cybersecurity expert.

Until now, continued Pratama, the data source is still unclear. However, whether or not this data is original is only an agency involved in making the PeduliLindung application, namely Kominfo, Ministry of SOEs, Ministry of Health, and Telkom.

Pratama regretted that the very sensitive data was not optimally secured, for example by encrypting the data.

According to Pratama, it is important to conduct digital forensic audits and investigations (digital forensics) to ensure where this data leak came from.

What Data Control Must Do

According to Law Number 27 of 2022 concerning Personal Data Protection, if the data leaked by Bjorka is correct belonging to the PeduliLindung application, then the data control party must submit a written notification no later than 3x24 hours.

"And if this is true PeduliLindungi data, then it applies to Article 46 of the PDP Law paragraphs 1 and 2, which states that in the event of a failure to protect personal data, private data controllers are required to submit a written notification, no later than 3 x 24 hours," said Pratama.

"The notification was submitted to the subjects of personal data and the Personal Data Protection Agency (LPPDP). The minimum notification must contain personal data that is revealed, when and how personal data is revealed, and efforts to handle and recover from it are revealed by personal data controllers".

This is information regarding the leakage of PeduliLindungi data.