Over 270 million Indonesians have reportedly been compromised after threat actors have stolen personal and social security data. The data breach has since been confirmed by the Communication and Information Ministry of Indonesia, but The Straits Times said the department has downplayed the extent of the incident.
According to The Straits Times, a user who went by the name Kotz posted on a popular online forum called RaidForums a number of samples collected from the data breach. The threat actor claimed it had gained access to the data of more than 270 million Indonesians.
Based on the post written by Kotz on the said forum, the sample posted included names of Indonesians, as well as residential addresses and phone numbers. The hacker also posted the citizenship identity numbers of these individuals. Overall, the sample posted in total amounted to one million citizens.
Bleeping Computer states that the threat actor also claimed to have the date of birth, place of birth, KTP NIK number, KK numbers, and more, of these 270 million individuals.
Jakarta Globe mentioned that Kotz has been trying to sell the data in question for around 0.15 bitcoin, approximately $6,130 since May 12, 2021.
In a statement last Thursday, May 20, 2021, the agency said that it is investigating the data leak, saying, “We have deployed a special team to track and find the source as soon as possible.”
In addition to investigating the incident, the Straits Times states that the agency was adamant in saying that it continues to have a strong security system in place designed to keep information guarded.
As part of its investigation, the Communication and Information Ministry said that it had taken around 100,002 samples to further look into. The number was significantly lower than the threat actor initially claimed, notes The Straits Times.
Most of the information found on the data sample in question was reportedly “identical to BPJS Kesehatan’s data,” said Dedy Permadi, reveals Reuters. BPJS provides universal health coverage to users throughout the whole of Indonesia.
Given this, Permadi said, “the communications ministry has summoned the directors of BPJS Kesehatan as the manager of the personal data allegedly leaked.”
As part of the steps taken by the communications ministry, it has already cut off links for users and other individuals to access the said personal data. Some of the host sites have already removed the said download links, reports Reuters.