Indonesia’s recent e-HAC data leak has drawn condemnation from activists to politicians alike. But for the country’s hackers, this furore is simply too little, too late. UNSPLASH
“Nothing is ever 100 per cent secure,” said Anton Muhajir, a digital security trainer at Southeast Asia Freedom of Expression Network (Safenet). “Things change, hackers get smarter. The question is, have we prepared a sensible amount of security in the first place?”
The answer, for Anton and other digital security experts, is a resounding “no”. As the fallout from Indonesia’s latest personal data breach continues, they question the government’s commitment to securing its digital realm.
Dominoes began falling after the publication of a report by vpnMentor on August 30. Its researchers revealed that the personal data of Indonesian citizens gathered in the country’s official electronic Health Alert Card (e-HAC) test-and-trace app, could be readily accessed by the public – an obvious and glaring security breach.
According to hacker and digital security expert Teguh Aprianto, vpnMentor was able to access e-HAC’s data through popular search engine Elasticsearch. “The database of e-HAC was stored there, and the public could access it freely. Which is ridiculous,” Teguh said. “We can’t guarantee that vpnMaster were the first people to notice that the data was literally just sitting there.”
In the worst-case scenario, they were simply the first people to call this issue to attention.
Sensitive personal data including ID numbers, passport information, Covid-19 test results, addresses, phone numbers, photographs and other data from at least 1.3 million users were reportedly compromised. Unfortunately, this is nothing new. According to Teguh, hackers have long enjoyed running rings around the country’s lacklustre digital security protocols.
On good days, these leaks are caught by good Samaritans intent on improving the country’s digital security. On most days, though, these breaches will lead us into a murky world of underground marketplaces, extortion and crime.
“It may surprise you,” Anton said. “But most data leaks stem from good intentions.”
A community of ethical hackers and bug hunters would test out the security protocols and capacity of various websites, before informing the website owner if any breach was found. Some “hackers” are professionally hired by these companies to test out the integrity of their own website, while many operate on an individual and altruistic basis.
The only issue is if the website owner decides to ignore these reports. According to vpnMentor, its researchers detected a data breach on e-HAC as recently as mid-July. Attempts to inform the health ministry, the Indonesia Security Incident Response Team on Internet Infrastructure (ID-SIRTII) and the Computer Emergency Response Team (CERT Indonesia) were reportedly met with silence. After contacting the National Cyber and Encryption Agency (BSSN) late last month, e-HAC servers were quietly shut down on August 24.
By then however, it was probably already too late. “Rumours about e-HAC being compromised have spread around the hacker community since last year,” Teguh revealed. “Some even say the data have been spread on underground forums. The report from vpnMentor finally confirmed these long-standing rumours. But people in the know have seen this coming for a while.”
“When leaks like this happen, the motive is usually political or economic,” Anton stated. With large-scale leaks however, economic reasons are far more common. There is simply an inordinate amount of value attached to verified, detailed personal data, and a marketplace of hungry characters eager to purchase the data.
According to Teguh, more family friendly, bread and butter transactions would happen on the popular website Raidforum. “People would post in a thread, letting other users know what data this was, set a price, and leave contact information,” he revealed. Most people traversing these forums are simply sly businessmen, eager to illegally obtain a large, instant customer database.
Of course, crime is not far from the equation. “The more dangerous stuff happens underground, especially on the dark web,” Teguh said. “There’s a shocking amount of explicit material out there, obtained mostly by hacking people’s emails. Sometimes it’s sold and used for sexual extortion, other times it’s out there for free as a form of revenge porn.”
To make matters worse, these forums usually take care to reveal the subject’s personal information to the public, thereby exposing them to further reprisals. At best, data leaks will expose a person to unscrupulous lenders looking to make an easy buck. At worst, it is a monumental event that could upend a person’s life.
Government responsibility
For its part, the government has issued a slew of denials. In a press conference last week along with the BSSN, the head of the health ministry’s Data and Information Centre, Anas Mas’ruf, insisted that no citizen data were leaked. Bewilderingly, though, he also implored citizens to delete the e-HAC app and use PeduliLindungi, the latest all-encompassing test-and-trace app.
“The question is, what has been done to prevent these leaks from happening in the first place? And when the leak happens, what will they do to take responsibility?” Anton said. “We’ve only been hearing excuses.”
Indonesia, he said, was hampered by a lack of legal framework protecting personal data. “We’ve drafted a personal data protection bill, but it’s still up in the air,” Anton said. “We have no specific law about data protection. There are mentions of it in various laws, but it’s scattered and incomplete.”
The Electronic Transactions and Information (ITE) Law, for example, ensures the rights of consumers to have their personal data protected. “But in cases like the e-HAC leak, are we consumers of a private enterprise, or are we citizens of a state?” Anton asked. “The parameters are unclear.”
This means that there is every chance of the government skirting responsibility. PeduliLindungi, the much-vaunted new test-and-trace app, recently came under fire for stating on its “About” page that neither the government nor PT Telkom Indonesia were responsible for any losses incurred due to “any violations or unauthorised access to PeduliLindungi”.
Controversially, this rule exists even though PeduliLindungi is all but compulsory for Indonesians. Under the most recent public activity restrictions (PPKM), citizens are required to show vaccine certificates on the app to travel and even enter shopping malls.
“They demand us to be responsible, but they won’t even guarantee our data’s safety,” Anton said. “It doesn’t make any sense.”
For Teguh, government officials are simply in over their heads. “The BSSN is tasked with ensuring our digital security, but they’re overwhelmed,” he said. “The government alone has thousands of digital assets, and their resources are limited. Their human resources aren’t good enough. Hackers even joke that the BSSN is just a bunch of lackeys.”
On a macro-scale, there seem to be no quick fixes. “To be blunt, if you’re born in Indonesia, you’re just unlucky,” Teguh said.
On an individual level, both Anton and Teguh simply preach vigilance. “When your data is leaked, your personal information is used in fraudulent transactions with online lending companies,” Teguh revealed. “One day, they may apply to be a lender … only to find that they are blacklisted because of these fraudulent loans.”
To avoid such hassle in the future, Teguh suggested a more effective solution. “Anytime a leak like this happens, be angry,” he said. “It’s important for us to be able to hold the government to account.”
THE JAKARTA POST/ASIA NEWS NETWORK
