JAKARTA: Pressure is again mounting on the government to establish a new agency overseeing cyber privacy, just two months before the Personal Data Protection (PDP) Law goes into full effect, following fresh reports alleging that data stolen from a civil service database are being sold on the dark web.

A hacker going by the pseudonym TopiAx claimed over the weekend that they had stolen the data of 4.7 million civil servants from the National Civil Service Agency (BKN) database and uploaded them to sell on the hacking site BreachForums.

TopiAx said the stolen data included the civil servants’ full names, employment records, email addresses and national identification numbers.

The BKN did not immediately confirm the breach, but instructed every civil servant using any of the agency’s digital platforms to change their passwords as a stopgap measure.

The agency added that periodically changing passwords was required to avoid compromising its systems.

“We are currently working with the National Cyber and Encryption Agency [BSSN] and the Communications and Information Ministry to investigate the alleged data breach and assess steps to mitigate [potential] risks,” BKN spokesperson Vino Dita Tama said in a statement on Monday (Aug 12).

“Nevertheless, the BKN can assure that the alleged [hacking] incident does not affect our civil service management system,” Vino added.

The alleged data breach was first reported on Sunday (Aug 11) by the Communication & Information System Security Research Centre (CISSReC).

The cybersecurity watchdog immediately tried to verify the stolen data published on the dark web by sampling a dataset linked to civil servants in Aceh, and found indications of their authenticity.

The latest hacking incident comes less than two months after a major ransomware attack in late June on one of two temporary national data centres (PDN) in Surabaya, East Java.

That cyberattack affected the databases of some 280 central and regional institutions and caused nationwide disruption to public services connected to the targeted PDN.

Security remains a problem at government-built digital infrastructure, even after lawmakers passed the Personal Data Protection Law in October 2022 to give citizens more control over their personal information.

The law, which aims to spur improvements in cybersecurity, granted a grace period of two years for data controllers and processors to build security systems and for the government to set up a data protection oversight agency.

This new agency is also authorised to impose administrative sanctions and nonjudicial punishment in the form of fines on noncompliant data controllers and processors. But the government still has not established the agency to date and has less than two months until the October 2024 deadline.

“With incidents of personal data leaks becoming more frequent, the government must immediately establish a personal data protection agency so actions can be taken against data handling institutions when breaches do occur,” Pratama Persadha of the CISSReC said on Sunday.

“We also need a clear regulation to hold any state-owned or private electronic services providers legally liable for failure to protect their systems. We need to create deterrence, so data handlers will improve their cybersecurity and human resources,” he said.

Pratama suggested that policymakers mandate every central and regional institution to regularly evaluate their cybersecurity systems.

The databases of government institutions, including state-owned enterprises, have been a target of cyberattacks in the past few years.

Notable cyber incidents have targeted the customer database of state-owned Bank Syariah Indonesia (BSI) as well as the government’s voter database, which was reportedly breached late last year at the start of campaigning for the 2024 general election.

“It’s clear that the government did not learn a lesson from the massive [ransomware attack]. It happened before and it has happened again,” Wahyudi Djafar, director of the Institute for Policy Research and Advocacy (Elsam) and a longtime data privacy advocate, said on Tuesday (Aug 13).

“How serious the government, and the BKN, are in dealing with the latest alleged incident is an indicator of how ready they are in implementing the [data] privacy law when it comes into full effect two months from now,” he added.

Officials at the communications ministry were not immediately available for comment when contacted by The Jakarta Post.

Last week, informatics applications director general Hokky Situngkir told a press briefing that the government was still drafting the necessary regulations to set up the cyber privacy agency, Antara reported. – The Jakarta Post/ANN