News pertaining to data leaks have continued to surface since the start of this year.
Cybersecurity expert Pratama Persadha remarked that annually, a leak is always reported in several government institutions, starting from the Health Ministry to Bank Indonesia (BI).
However, a resolution to the cases of hacking in Indonesia is nowhere to be found despite the authorities having responded to the data leak.
A case that recently came to light was a ransomware attack on the BI website.
As of January 26, 2022, BI's 368 internal computers were claimed to have been hacked by a Conti ransomware group, with 1330 gigabytes of data being uploaded.
In connection with this data leak, the National Police (Polri) investigates this case and also communicates with BI, Polri's Public Relations Head Dedi Prasetyo told ANTARA here on Thursday, January 20.
Related news: Financial institutions main target of cyberattacks: OJK
Moreover, Persadha drew attention to the state-owned oil company Pertamina's leak case.
The website https://recruitment.pertamina-ptc.com still cannot be accessed to this day ever since the news of the data leak surfaced.
Several reasons behind the inaccessibility of the Pertamina Training and Consulting include an audit assessment that had yet to be conducted on the system in the government's institution.
It is also likely that Pertamina is not yet confident that it has sterilized the system from the malware that the hacker utilized.
Moreover, it may not be sure that it could bolster its defence post-attack to make it safer from a takedown.
Related news: Cyber police pose risk to Indonesia's democracy: LP3ES
It should not take too long for an organization as large as Pertamina to deal with this type of problem, especially since the website involves a third party and utilizes a service level agreement (SLA).
This means, with SLA, there is standardization and accountability regarding the website's service and others, such as its security.
Points within the SLA are crucial since during several recent hacking cases, the perpetrator had attacked the weakest segment, such as the vendor, which is why it is called a supply chain attack.
This means assessment in starting system development should prioritize cybersecurity in order to receive the best product and vendor.
Related news: People should be educated about gender-based cyber violence: Official
Targeted Data
Several hacking attempts were made for the targeted data. In 2020, data on over 91 million Tokopedia users was leaked followed by the incident in which data of users from the Health Ministry's e-HAC app were exposed in addition to the cases of BRI Life, Pertamina-PTC, and BI.
The repercussions are grave since almost all government institutions hold important and confidential data.
In addition to mitigation, what should also be taken into account is prioritizing cybersecurity and the security factor in building the system.
To this end, electronic system operators that experience hacking and a leak are obligated to be transparent to the public.
During the cases of hacking in banks, national private companies, government institutions, and State-Owned Enterprises (SOEs), they have to realize that this data is important from the start.
This means the data should be protected not just from hackers but also from their own employees, who can intentionally or unintentionally abuse them.
This becomes increasingly important since the source of the data leak, apart from hacking, could be a system error and/or human error, thereby mandating reformation across all sectors.
Related news: Importance of cyber protection in MSMEs digitalization
For instance, in building a system, the cybersecurity factor should be prioritized and not just user friendliness or an attractive user interface.
The human resources and technology should also take into account cybersecurity. This means that organic human resources that could understand the existing information system process should be prepared and not just rely on vendors.
They should understand how to conduct maintenance and mitigation steps in the event of an attack and anomaly within their system.
The technology should support cybersecurity. For instance, in the Tokopedia case that resulted in the data of more than 91 million users being leaked, it was known that only the password within the user data was encrypted.
This is despite the fact that other data is just as important, such as the name, address, phone numbers, and email.
Related news: Leaked COVID-19 patients' data not from PeduliLindungi: BSSN
Mitigation Steps
Several companies or nations worldwide have been hacked before.
If there is no news of an institution been hacked, it could be because they never checked them, or the hackers never publicized it, or they intentionally hid it for several factors.
To this end, the world's tech giants usually hold the Bug Bounties program.
This program is an initiative in which a company will provide a sum of money for those who could find and penetrate the gap within the company's security system as a form of appreciation.
Google and Apple readily provide millions of US dollars for this program. Meanwhile, this type of culture has not been followed much in Indonesia in government institutions and private companies.
Every time there is a report of a leak, let alone a reward, this report is usually never responded to, such as in the Health Ministry's e-HAC case.
In fact, people mock the fact that any report of a security gap within an institution's information system will only yield a thank you in Indonesia.
During the pandemic, all parties finally learned that vulnerabilities also exist during work from home.
Corporations in Indonesia are not accustomed to providing their employees with safe software, hardware, and network to access the office's system.
At the very least, people should be edified to not access the internet from a dangerous network, such as free public WI-FI.
In addition, they should be given an anti-virus software, virtual private network (VPN), and tools, such as zero trust.
Lastly, as a preventive measure against hacking, security bolstering and routine pentest (penetration test) have become increasingly necessary.
Related news: Indef highlights private sector's role in green economy development
Related news: Jakarta, W Java governors discuss preparations for Youth 20 Summit
Editor: Fardah Assegaf
Copyright © ANTARA 2022
