The issue of data leakage from the Indonesian Child Protection Commission (KPAI) has attracted the attention of cyber security experts. The data includes the identities of minors, which underscores their vulnerability to online predators.
In the middle of this week, KPAI came into the spotlight after a number of screenshots from the Raid Forums hacker forum showed a user with the username C77 offering the KPAI’s data.
According to the chairman of the CISSReC cybersecurity study institute, Pratama Persadha, the data leak is valid. The data allegedly contains a database of public reporting from all over Indonesia from 2016 until now.
Pratama explained that the leaked KPI database had complete details on the identity of the reporter such as name, identity number, nationality, telephone, cellphone, religion, occupation, education, address, email, place of birth, date of birth, gender, province, city, age, and reporting date.
“Two databases were provided, namely 13MB in size with the file name kpai_pengaduan_csv and 25MB with the name kpai_pengaduan2_csv. To download it, Raid Forums users must issue 8 credits per data or around IDR 35 thousand rupiah,” said Pratama in his official statement.
Pratama said that apart from the monthly income data column, case summary, and mediation results, the leaked KPAI data is also suspected to include a list of victim identity data that is still underage.
This data leak is very dangerous because online predators can target from the data contained there, said Pratama.
“The existing data is very sensitive data to be misused on the internet. Such as online fraud as has often happened recently.”Pratama Persadha, Chairman of CISSReC
In addition to the KPAI data leak, Pratama also found a leak of Bank Jatim data which was sold by an account with the username bl4ckt0r for 250,000 US dollars.
The perpetrator provided 378GB of data consisting of 259 databases. This data includes sensitive data such as customer data, employee data, personal financial data, and much more.
“Of course this is a serious concern for the government. Digital forensics needs to be done to find out which security holes are used to break through, whether from the SQL (Structured Query Language) side so that SQL Injection is exposed or there are other security holes,” said Pratama.
Pratama explained, it is better to strengthen the system and human resources, and the adoption of technology, especially for data security, also needs to be done. Indonesia itself is still considered vulnerable to hacking because cybersecurity awareness is still low.
Pratama also emphasized the importance of the existence of the Personal Data Protection Law (UU PDP), which is firm and strict as in Europe. According to him, the absence of the PDP Law is the main factor in many major hacks in the country targeting the theft of personal data.
“There have been many incidents like this, the Government and the DPR should have agreed to pass the PDP Law. Without a strong PDP Law, private data managers, both state and private institutions, will not be held accountable further and will not be able to force them to improve their technology, human resources and information system security,” he explained.