Jakarta. A suspected breach of Indonesia's social security data has put virtually all Indonesians exposed to digital attacks and frauds, authorities and digital security experts warned on Friday.
The Communication and Information Technology Ministry said that it has suspected personal records of at least 100,000 individuals have been leaked from BPJS Kesehatan and asked the country's national insurance company to notify the individuals about the breach.
The records were part of a sample database offered for free by an individual, or group of individuals, using the username Kotz, at the database sharing forum Raidforum.
Since May 12, Kotz has been trying to sell for 0.15 bitcoins ($6,130) a larger set of the database they claimed to hold more than 279 million records, containing information ranging from national identity numbers, social security numbers, phone numbers, and tax identification numbers, to family members, blood type, and salaries.
BPJS Kesehatan reported it has 222.5 million users at the end of last year, covering about 82 percent of Indonesia's 270.2 million people.
"The ministry suspected the sample database is identical to BPJS Kesehatan's database," Dedy Permadi, the Communication and Information Technology spokesman, said.
"The suspicion is based on records of social security number, office code, family records, and payment status [in the sample database], which are identical with BPJS Kesehatan's records," Dedy said.
Dedy said the ministry had asked three websites hosting the sample database to take down the sample from their website. Two of the websites have complied, he said.
The ministry has also summoned BPJS Kesehatan's directors to explain the data breach.
It also reminded BPJS Kesehatan that under a 2019 Government Regulation about Operation of Electronic Systems and Transactions, the insurance body had an obligation to notify the authorities and the individuals affected by the data breach at the earliest opportunity possible.
M. Iqbal Anas Ma'ruf, BPJS Kesehatan's head of public relations, said earlier on Thursday that the insurance body had launched an investigation on the suspected data breach.
Iqbal also said BPJS Kesehatan guaranteed the security of BPJS Health participant data.
"With complex big data stored on our servers, we have a strict and layered data security system to ensure the confidentiality of such data, including [the national insurance scheme] participant's data," said Iqbal.
If true, his would be the largest personal data breach the country has ever seen. Last year, a hacker leaked 15 million user accounts of Tokopedia, one of the largest e-commerce companies in Indonesia.
Pratama Persadha, the chairman of Communication & Information System Security Research Center (CISSReC), a Jakarta-based research group specialized in digital security, said fraudsters could use the data to carry out targeted phishing or other types of social engineering attacks.
"Even though the database did not contain sensitive data such as credit card details, with some personal data that exists, cybercriminals have more than enough to cause real damage and threats," Pratama said on Thursday.
Criminals can combine the information found in the leaked database with other data breaches to create detailed profiles of their potential victims. With such information, criminals devise a more convincing scenario to trick their victims, Pratama said.