BRI Life Data Breach Proves Lack of Regulatory Protection, Says ICT Director

TEMPO.CO, Jakarta - The recent case involving an alleged data breach compromising the personal information of 2 million BRI Life insurance customers is a nagging alert for the Indonesian government to strengthen the security regulation on personal data and cybersecurity. Information and Communication Technology (ICT) director, Heru Sutadi, on Thursday argued that this case proves how weak the authorities in regulating this critical aspect. 

“Our regulations are still too weak. There is no coercive function for data guardians to protect user data,” said Sutadi to Tempo on July 29.

Media headlines were saturated by an alleged data breach of BRI Life customers and are supposedly being sold online. 

Information regarding the alleged major data breach was first leaked by a Twitter account alleging perpetrators have threatened to sell the sensitive data of 2 million insurance customers with price reaching US$7,000 or Rp101.5 million in current exchange. 

The social media account also posted a 30-minute video showing the alleged perpetrators exhibiting 250 GB worth of data they managed to steal, which consists of 2 million personal users data and 436,000 documents. 

This case is not an isolated one as it is a seemingly recurring event in a short amount of time. According to Heru, data breaches have shown a growing trend and are even found to happen nearly every month. 

Based on the data from the Communication and Informatics Ministry (Kominfo), in the past three years, 29 institutions have fell victim to this crime. Another major case was when 279 state-healthcare insurance (BPJS) users data in May this year were leaked online and sold at Raid Forums for 0.15 Bitcoins or Rp87.1 million.

One year before that 91 million users of e-commerce Tokopedia, including 7 million merchants had leaked and were sold in the dark web Empire Market for US$5,000.

Heru said there are no serious attempts to tackle these private data breaches and said regulators seemingly ignore the depth of the issue. A number of cases also suddenly disappeared. Regulators and institutions that should be accountable for the data breach a few times ignore the fact and lack transparency which only make cases involving cyber crime to potentially arise in the future. 

“No compensations for users were enforced or had even entered the courts. This is still weak,” he said. 

He cited the Facebook data breach several years back that rocked the global stage. “Mark Zukerberg himself apologized and admitted the breach, but in Indonesia, data breaches are deemed nonexistent,” he added.

Read: Massive Data Breach Calls for Urgent Personal Data Protection Law

FRANCISCA CHRISTY ROSANA