Failed To Protect PDN Data, Government Violates PDP Law

Photo Illustration By Andry Winnarko (VOI)

JAKARTA The National Data Center (PDN) has experienced cyber attacks since Thursday, June 20 and has not fully recovered. Despite trying to recover these data, the government, in this case, a team from the Ministry of Communication and Information, BSSN, Polri and also Telkom as the PDN management, finally admitted that they failed to recover the data stored in PDN.

"We are working hard to recover our resources. What is clear is that we cannot recover the data that has been affected by ransomware. So now we use the resources we still have," said Telkom Network and IT Solution Director, Herlan Wijanarko, Wednesday, June 26.

According to the Director of ELSAM, Wahyudi Djafar, hacking of PDN and data breaches of a number of agencies show that the government's protection system is very vulnerable, and must be addressed according to the standard law.

Various cases of alleged violation of personal data, in the form of attacks on data confidentiality (confidentiality), which has an impact on disclosing a number of data elements, managed by government data controllers, further emphasize the vulnerability of the data protection system they implement," he said, Monday, July 1, 2024.

He revealed, in the midst of efforts to recover from PDN Meanwhile, due to ransomware attacks, a number of data from government agencies were being sold by hackers through special sites. A number of agencies suspected of having data breaches are the Directorate General of Civil Aviation (employee data and photos, usernames and passwords for all applications, participants in drone pilot certification, and flight data).

Other institutions whose data was leaked by hackers were the Employment Social Security Administration (BPJS) which included the name and date of birth of BPJS Ketenagakerjaan participants, email addresses, telephone numbers, age groups, addresses, postal codes.

Then the hacker also admitted to stealing data from the TNI Strategic Intelligence Agency (BAIS), Indonesia Automatic Fingerprint Identification System (INAFIS) Polri (covering sensitive data on fingerprints), Denpasar City Government, and Semarang City Government.

Government Data Protection Is Not In Accordance With The Standards Of The Law

Although it is not yet known whether the data source of a number of agencies came from hacking PDN Meanwhile or others, the management of these data involves controlling personal data from the government-run public sector.

Wahyudi emphasized that if the government is negligent in managing and guaranteeing data protection, it is tantamount to violating the Personal Data Protection Act (PDP). This is because Law Number 27/2022 concerning Personal Data Protection also applies to all public data controllers, including implementing all compliance standards.

"The government as the data controller must be responsible and obedient to the law, ensure data processing security, record data processing activities, maintain data confidentiality, submit notifications (notifications) in case of violations, and assess the impact of data protection," he explained.

Wahyudi stated, because it is a mandate in the PDP Law, the government should take technical and organizational steps to ensure compliance. In addition, the government must also move quickly to take strategic steps after the incident of hacking ransomware against PDN Meanwhile, and the alleged burglary of data from a number of institutions, so as not to interfere with the implementation of the Electronic-Based Government System (SPBE).

He said the vulnerability to protecting the personal data of citizens managed by public institutions was not only related to the large risk of disclosing the data. But it can also have an impact on integrity to data loss, such as the case of the Temporary PDN hack.

Cyber attacks, Wahyudi continued, could create confidentiality (confidentiality), integrity, and availability (availability) of data at risk. In fact, the creation of PDN is at the heart of the security goals of public data and the government.

"If a thorough improvement is not carried out immediately, it is feared that risks and threats to residents will get worse, it will be more difficult to mitigate, and of course it will result in a large amount of economic losses," he said.

He gave an example, the South Korean government in 2019, had to spend a budget of up to 650 million US dollars to handle public data hacking. Such a large budget was disbursed to change the identity of 50 million South Koreans due to 20 million citizens being victims of data breaches in 2014.

Cybersecurity expert from the ITS Cyber Smart City Laboratory and Cybersecurity, Ridho Rahman Hariadi, the government's failure to protect data in PDN Meanwhile, it not only threatens large institutions, but also has an impact on the wider community.

Threats to the public can include loss of personal data such as photos, documents, and financial information infected with ransomware. Offenders can steal sensitive data and threaten to publish or sell them if the ransom is not paid.

"In addition, the perpetrators can also attack social media accounts to banks for certain benefits. This will certainly bring discomfort and potential harm to the community," he said.

Ridho suggested that the government strengthen cooperation with educational institutions and research institutions to develop solutions and overcome future attacks. Including through training programs, seminars, and research, to strengthen national cyber resilience.

Through these steps, it is hoped that incidents of ransomware attacks can be minimized and national cyber resilience can be increased. The reason is, these two things are very crucial in protecting important public data and services for the public.

"Awareness of the importance of cybersecurity must continue to be improved, both among the government, the private sector, and the general public, to ensure that critical data and systems remain protected from the growing threat," said Ridho.

Data Protection Becomes A Joint Task Of Organizers And Users

The Minister of Communication and Information, Budi Arie Setiadi stated that cybersecurity, including data protection, is a shared task of all stakeholders. Because there are at least three aspects related to security guarantees in the implementation and utilization of PDN that must be a common concern between organizers and users of PDN services.

"There are three aspects that PDN organizers and PDN service users must pay attention to, which are abbreviated to the CIA, namely aspects of confidence, integrity, and availability of data and information," he explained.

In the aspect of confidentiality, PDN has implemented physical security up to IT security at hardware levels, networks and cloud systems. The implementation of security also refers to several international standards, namely ISO 27001, including physical security by requiring access to data centers through multiple layers of screening, such as data collection of access at entrance gates to enter the data center space by re-registering to get access to data centers and server racks that will be targeted with electronic ID cards + fingerprint, installation of devices such as firewall networks, Web Application Firewall, AntiDDOS, Automatic Vulnerability, Integrity Monitoring Files, Email Security, Network Antivirus, and SIEM levels, security at Operating System level, Platfom Management Applications, and Data Management because PDN service users use IaS services (Infrastructure as a Service) namely the use of VPS/Virtual Machine and data management, in particular strategic and confidential data.

"In terms of authenticity, PDN service users must also anticipate hacking of data and information, by implementing security on applications such as the application of anti SQL injection, Cross-Site Script (XSS), Phishing, Social Engineering, Insider Threat, etc. so that the information submitted on the website is preserved," said Budi Arie.