Data concerns rise again in Indonesia after Indonesian president’s vaccine certificate is leaked online

Sharp criticism among the general Indonesian public arises once again following the leak of the covid vaccine certificate of Joko Widodo, the Indonesian Prime Minister.   

The circulated certificate which contains Mr Widodo’s ID number and vaccination times was reportedly found on an official vaccine monitoring app known as PeduliLindungi, demonstrating the relative ease of obtaining related sensitive medical information, resulting in the public urging for tougher cybersecurity protection.  

The blame concerning lack of data protection was shifted among government officials as officials working under the Ministry of Communication and Information stated that Mr Widodo’s data was accessed using the General Commission of Elections website. Following on from this, it was stated that access to public official’s private data was blocked after news of the breach. 

As stated by cybersecurity analyst Alfons Tanujaya in Jakarta, “data breaches happen more frequently in Indonesia because of the very high digital penetration in Indonesia which unfortunately is not followed by proper digital awareness from those who are managing the data”.   

This was the second serious data breach that occurred in the same week as earlier, 1.3 million people had their data compromised stemming from an issue with the national covid tracking app.   

Early in May, the online mall Tokopedia suffered Indonesia’s worst data breach which resulted in 91 million accounts being put up for sale on the Dark Web. It was reported that earlier in July, this data which could be used as part of phishing scams resurfaced for sale at a value of $15. 

Just a few days after the breach of Tokopedia, a smaller company named Bhinneka was targeted in a hacking attack which resulted in gained access to 1.2 million accounts.  

Again, in May, Indonesia’s election commission stated that 2.3 million voters had their private data copied.  

In March 2020, an online shopping site named Bukalapak became the victim of hackers who stole personal data of 13 million accounts.   

Following on from this string of cybersecurity breeches, a new data protection law was due for the end of 2020 made it illegal for customer data to be collected without permission. Additionally, it became a legal requirement for customers to be informed if their personal information was accessed.  

The law states that consequences for businesses not upholding this is a 210 billion Rupiah ($20.3 million) for corporations and up to 7 years of imprisonment for individuals. In addition to this, a data protection officer will need to be employed to ensure that the company implements the necessary changes associated with the passed law. Furthermore, an increased cost of 10%-20% working capital to train staff and upgrade the networks. This training will need to be implemented to change daily practices which increase the risk of security breaches, for example, leaving IDs on tables.  

Although this law has been passed, it is not enough. Further efforts to ensure data protection and cybersecurity needs to be expanded as Indonesia has become a hotspot for cybersecurity breaches. As Indonesia is a developing country, this seems like a challenging task regarding funding.