JAKARTA - As many as 91 million user accounts and more than 17 million Tokopedia merchant data have been hacked and traded on the dark web site. These data are even sold at a price of 5,000 US dollars or around Rp.73.4 million.

The case of leakage of privacy data, such as passwords to user identities, is certainly a heavy slap for Tokopedia. Moreover, the number of user accounts that are integrated with other payment instrument systems such as OVO, registered credit and debit cards.

Of course, the leakage of 91 million Tokopedia accounts on dark web sites has caused panic among its users. Because various ways to protect privacy data from hacker hacking have been done, ranging from changing passwords regularly, to activating PIN and two-factor authentication with OTP (One Time Password).

Moreover, this is not the first case of hacking that has occurred in Indonesia. If you remember March 2019, the e-commerce site Bukalapak was also compromised by hackers. At that time, 13 million Bukalapak user accounts were hacked and traded on the dark web.

The hacker calling himself Gnosticplayers has even sold Bukalapak account data by retail on one of the dark web sites. The total profit converted into bitcoin is equivalent to US $ 5,000 or around Rp.72 million (Rp.14,500 at that time).

"With this incident, privacy data security is starting to be considered important and must be addressed immediately," said IT Security Researcher Didik Irawan while commenting on the Bukalapak hacking case in March 2019.

For Didik, accounts and privacy data stored on one site are important assets for someone in the digital universe. And in fact, e-commerce service providers provide more protection with a layered security system to avoid hacking or hacking into accessing user privacy data.

"The data that is uploaded to the internet is not unimportant. Everything is important and can be misused, especially for hackers and other irresponsible parties," said Didik.

Both service providers and users take an important role in maintaining the confidentiality of sensitive and confidential data. "Not only the security layer from the side of the site owner, but from the user side it needs to be considered as a preventive effort," he added.

Stagnation of discussions on the Personal Data Protection Bill

Reflecting on the Tokopedia case, the discussion on the Personal Data Protection Bill (PDP) seems to have to be discussed again by the government and the DPR. Because the PDP Law is considered important to protect privacy data both online and offline for Indonesians. In addition to regulations such as Law Number 11 of 2008 concerning Information and Electronic Transactions (ITE) and Government Regulation (PP) Number 71 2019.

Because the regulation will regulate the data security mechanism for users of information and electronic transactions. So it is hoped that it can provide legal certainty if personal data is misused by other people or parties.

Where in the PDP Bill draft contains 80 articles, one of which regulates a fine of IDR 100 billion for parties who process personal data without permission. This draft has also been submitted to the House of Representatives (DPR) around February 2020.

"Personal Data Controllers and Personal Data Processors who deliberately process Personal Data for commercial purposes and / or profiling without the consent of the Personal Data Owner as referred to in Article 58 will be subject to a maximum fine of Rp100 billion," reads Article 73 of the PDP Bill.

Article 58 reads "Personal Data Controllers and Personal Data Processors are prohibited from processing Personal Data for commercial purposes and / or profiling unless with the consent of the Personal Data Owner."

When translated Personal data in the draft PDP Law is any data about a person either identified and / or individually identifiable or combined with other information either directly or indirectly through electronic and / or non-electronic systems.

Unfortunately the draft PDP Bill is currently stuck in the hands of the DPR. According to the Director General of Informatics Applications, Samuel Abrijani Pangarepan, the discussion of the PDP Bill at the DPR is being hampered by the Covid-19 pandemic.

"We are designing an online meeting to discuss the PDP Bill. The discussion of the Bill is always followed by intense debate to find the best solution for the community," said the man who is familiarly called Sammy, as quoted from the Kompas.com page.

It is unfortunate that the regulations that protect the privacy data of the Indonesian people must be held up for a long time. Because the longer this regulation has not been completed, public accounts, both online and offline, will simply be neglected in the virtual space of the virtual world, and it is possible that many irresponsible people will abuse it.

It's different in Europe, which already has a General Data Protection Regulation (GDPR). This law provides a complete set of the mechanism for fines imposed by companies if they fail to protect user data.

At that time, British Airways was one of the airlines that the GDPR was concerned with, among the cases of passenger data leakage in 2018. The British airline also had to pay a fine of 204.6 million pounds or around Rp3 trillion for negligence in protecting passenger data.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)