On August 31, a user named Bjorka posted an entry on a little-known site called Breached Forums, with the bland title: “Indonesia SIM Card (Phone Number) Registration 1.3 Billion.” Those few words signaled a vast data hack into 1.3 billion SIM registrations — one that revealed national identity numbers, phone numbers, names of telecommunications providers, and more.  

Indonesians woke up to the breach in confusion, which quickly turned into anger. The Ministry of Communication and Information Technology, or Kominfo, responded by telling citizens they were responsible for regularly changing their passwords; popular meme accounts reposted the advice with bitter jokes. An official pleaded haplessly with Bjorka at a press conference: “If you can, please don’t attack.” “Stop being an idiot,” Bjorka jeered back on their Breach account. 

Indonesians’ data is exposed at such a rate that citizens jokingly call it an “open-source country.” 

Digital rights group Safenet labeled the Bjorka incident as the biggest-ever data breach case in Asia, and it might have been more shocking if it wasn’t so common. Indonesians’ data is exposed at such a rapid and regular rate that citizens jokingly call it an “open-source country.” 

In 2020, leaks from companies, including e-commerce giants Tokopedia and Bukalapak, exposed over 100 million users’ personal data. The following year, a hacker breached the databases of BPJS Kesehatan, the country’s healthcare and social security agency, revealing national ID numbers and more for 279 million people, some of whom are deceased.

After years of increasingly brazen leaks, frustration among Indonesians is reaching a boiling point — enough to fuel the hasty passage of a long-delayed personal data protection bill in September, and the formation of a task force directed to hunt down the hacker Bjorka. 

In a twist, many Indonesians have even sided with the hacker, who claimed to have executed the breach to expose sloppy data governance. Along with the mammoth citizen data leak, the gleefully chaotic Bjorka appeared to dox Kominfo Minister Johnny G. Plate on his own birthday. “Happy birthday,” they reportedly posted in their Telegram channel, Bjorkanism, followed by intimate details ranging from his address to home telephone number to vaccine ID.

“In 2018, [Kominfo] forced us to register for phone numbers using [government ID], promising us to be free of spam,” cybersecurity consultant Teguh Aprianto pointed out on Twitter. “[Not only] we are not free of spam, [but] registration data … are leaked and sold instead.” The tweet was rapidly shared more than 17,000 times and liked by some 27,000 accounts — just one of a slew of angry posts and hashtags, directed at Kominfo, that have flown around social media.

Kominfo and the National Cyber and Crypto Agency (BSSN) did not respond to requests for comment.

breached.to

Maryam Jameelah, a lecturer in Malang, East Java, admitted feeling traumatized when reading about the recent data breach cases on the news. Two years ago, Jameelah was one of the victims from the Tokopedia data leak, and for months, would receive bills from transactions she’d never made.

“I had to change my number and all of my accounts,” Jameelah told Rest of World. “It is very upsetting.”

Mulyadi, an IT auditor at a Big Four firm, told Rest of World he holds the government responsible, and wants further action. “Hire a consultant to investigate what data has been breached, what’s the root cause, and what’s the next step,” said Mulyadi, who has also been frustrated by spam sent to his private number. “What is important to us is knowing there’s a concrete action.”

Despite the passage of the personal data protection bill, which details criminal sanctions for data handlers and corporations in case of a data leak, experts say the new measures are temporary, designed to cool Indonesians’ rage.

“It depends on who is on the team [of the taskforce]. Do they have competence?” Ismail Fahmi, founder of media tracker Drone Emprit, told Rest of World. “This is just for the short term.”

At the heart of the issue is a patchwork approach to data security. Companies must share customer data with the Ministry of Internal Affairs to verify their identities, a government official told Rest of World, requesting anonymity because they were not authorized to speak to the media. Several state departments are authorized to safeguard certain parts of citizens’ private data, a group that includes Kominfo, BSSN, the Ministry of Internal Affairs, and the National Police. As a result, when a leak occurs, it’s not always clear where the breach originated: from one of the government agencies, or the companies themselves.

These state departments are also supposed to work together. But coordination is lacking, while leaks are rampant. Kominfo, for instance, presides over communication, information, and internet laws; BSSN is tasked with improving the system against hacks; and the police’s cyber crime unit is set up to enforce cyber crime-related laws, including on hacking, web defacement, hate speech, fraud, and data theft. Meanwhile, the Ministry of Internal Affairs, as the holder of civil records for all Indonesians, is expected to have a watertight security system.

The government official explained to Rest of World that when data breaches happen, Kominfo, the national cyber security agency BSSN, and the platforms all have investigations running, but there’s no system for them to fully coordinate the results.

“Unfortunately, [state departments] almost never share their investigation results with Kominfo, so the ministry is often forced to offer a recommendation only based on compliance information,” which constitutes basic security standards, the official said.

Much of Indonesians’ hopes now seem to hinge on the personal data protection bill and the subsequent new body of authority that will be created. The president will have the prerogative right to decide who will make up the new institution. 

Wahyudi Djafar, executive director in the Institute for Policy Research and Advocacy (ELSAM), told Rest of World that he supported the bill’s provision for the creation of a data protection agency. But, Djafar warned, “If the authority was not created as an independent body, it would be difficult to ensure the effectiveness of the bill.”

“The challenge is how strong this institution’s authority will be, [which] will entirely depend on the president’s good faith,” Djafar added.