JAKARTA: Indonesians are still being affected by last week’s ransomware attack on a temporary national data center (PDN) that disrupted public services, with some calling for the government to take responsibility for failing to properly secure their personal data.

The cyberattack on the data center in Surabaya, East Java, occurred on June 20 and disrupted immigration services at Soekarno-Hatta International Airport in Tangerang, Banten, as well as student enrollment at state schools in Serang, Banten, and Dumai, Riau.

As of Wednesday (June 26), five of the affected agencies had restored their database access and resumed services, including the immigration office, the Maritime Affairs and Investment Ministry, the Kediri municipal administration in East Java, the Religious Affairs Ministry and the National Procurement Agency (LKPP).

The government is aiming to restore at least 18 central and regional administration databases affected by the attack by the end of this month, the Communications and Information Ministry’s director general for information and public communication, Usman Kansong, said at a press briefing on Wednesday.

However, the figure is still a far cry from the total 282 impacted databases reported on Tuesday by state-owned communications company PT Telkom Indonesia, whose subsidiary Telkomsigma operates the Surabaya facility.

The disruptions nearly caused 46-year-old Bambang Sadono to miss his flight last week.

Bambang arrived at Soekarno-Hatta International Airport on June 20 to find long lines at the immigration counters.

He managed to board his plane only 10 minutes before it took off, after going through a manual immigration check, he told The Jakarta Post.

As of Monday, immigration services had been mostly restored, with Law and Human Rights Minister Yasonna Laoly saying his office had temporarily moved the relevant data to cloud storage run by Amazon Web Services.

Delays continue But passport services at certain immigration offices appeared not to be fully recovered on Wednesday, as some Indonesians awaited the issuance of delayed passports.

Erika Andini, 27, had been trying to get her passport reissued after it was lost.

The immigration office in Yogyakarta, where she resides, had promised her a new passport two weeks from June 4.

But after three weeks had passed, the immigration office told her that the data center breach was preventing them from issuing her passport.

The delay may force her to cancel her flight to Singapore next week.

“I’ve called the immigration office multiple times, but they have not given me a clear estimate of when my passport will be ready,” she said.

The cyberattack has also affected the database of the Education, Culture, Research and Technology Ministry, making the website of the Smart Indonesia Card for University Students (KIP Kuliah), a program to assist low-income students and applicants, inaccessible since last week.

Twenty-year-old Sukmawati of Lampung was worried that she would not be able to apply for a reduced fee for the University of Indonesia (UI) admission test this year.

“The deadline for applying to UI under the KIP Kuliah track is on June 28. If the KIP Kuliah page does not come online soon, I’ll never make it,” she told the Post on Wednesday.

In a Wednesday press briefing, authorities in charge of restoring the data center declined to reveal what other public services remained disrupted.

Privacy concerns Inconveniences and possible financial losses aside, many people also fear their compromised personal data will be used for ill.

“I’m terrified that my data will be misused for fraud, considering that the hacked data surely has [sensitive information related to immigration], such as my face ID and fingerprints,” Andini said.

No details have been disclosed on what quantity of personal data had been stored at the temporary facility and who the attackers were.

The ransomware Brain Cipher encrypted the data, effectively making it inaccessible to anyone but the hackers, and the unnamed attackers demanded a ransom of US$8 million to return control to the government.

Telkom director for network and IT solutions Herlan Wijanarko said at the Wednesday press briefing that the government had “isolated the temporary facility in Surabaya so [the encrypted data] cannot be accessed from outside or misused”, although it remains unclear whether the attackers had already exfiltrated the data.

The communications ministry has been adamant that the government will not pay the ransom, with deputy minister Nezar Patria saying on Tuesday night, “We won’t be easily intimidated. We are still trying to mitigate [the data failure] while investigating it. Actions will be taken."

Wahyudi Djafar, director of the Institute for Policy Research and Advocacy for Society (Elsam), a longtime campaigner for data privacy, said people could sue the government for negligence in protecting their personal information, as stipulated in a 2022 privacy law.

He said Article 46 of the law required the government to immediately notify the public of a failure to protect their personal data, to clarify how much data was lost or compromised and outline what the next recovery steps should be. - The Jakarta Post/ANN