"On May 2, 2020, we became aware of the data theft by an unauthorized third party regarding Tokopedia user information," Tanuwijaya said in the letter released on Tuesday.
Shortly after learning about the breach, Tokopedia notified users, while launching an investigation and making sure the accounts and transactions on the platform remained safe, he wrote.
"We continue to ensure that passwords are encrypted with one-way encryption," Tanuwijaya said.
The online shop company also worked with the Ministry of Communication and Informatics and the National Cyber and Crypto Agency to investigate the case, he added.
As part of its internal investigation, Tokopedia appointed an independent cyber security agency to assist in the investigation and identification of steps that need to be taken to improve user data protection.
The e-commerce platform found the data leak in early May this year. A hacker claimed responsibility for the leak and later claimed to have data comprising names, email addresses, and hashed passwords of 15 million Tokopedia users.
The estimated number of affected users was greater: almost 91 million.
In the meantime, the Indonesian Consumer Community (KKI) has filed a lawsuit in the Central Jakarta District Court against Tokopedia and the Ministry of Communication and Informatics over the data breach.
KKI's lawyer, Akhmad Zaenuddin, in a written statement here on May 7, 2020, cited Tokopedia's negligence as the reason behind the leak.
In line with existing laws, personal data is confidential and must be stored, maintained, and protected.
The regulation is laid down in Article 1, number 22 of Law Number 24 of 2013 on Amendment to Law Number 23 of 2006 on Population Administration in conjunction with Article 1, number 20 of PP Number 71 of 2019 on Operation of Electronic Systems and Transactions, in conjunction with Article 1, number 1 of PM of Communication and Information Number 20 of 2016 on Protection of Personal Data in Electronic Systems.
The state necessitates every party that obtains personal data to maintain confidentiality and protect the data and privacy of citizens conducting electronic transactions.
KKI chairman David Tobing expressed regret over Tokopedia not divulging details of the data that was stolen and mishandled by a third party.
The Communication and Informatics Ministry is also facing legal action over its alleged ineptness in supervising the implementation of the electronic system to prevent leakage of personal data, he said.
The ministry is tasked with controlling, inspecting, tracking, and securing personal data, in line with Article 35 and paragraph (1) of Government Regulation (PP) Number 71 of 2019.
Related news: G20 meeting discusses cybercrime: Finance minister
Related news: Chinese, Taiwanese criminals transferred to police headquarters in Jakarta
Translator: Natisha A, Fardah
Editor: Rahmad Nasution
Copyright © ANTARA 2020