Indonesian Community Personal Data For Sale. Who is the Buyer?

When the internet economy proliferates without a safe 'safe' that is gradually developed, bad things often happen, and the user then bears the brunt of it. Hackers find security-vulnerable targets in Indonesia, stealing a growing pool of personal data. This information was then leaked on Dark web or the dark web, hacker forums, and even social media platforms. Some are set up for anyone to download and use, while others are for sale. Consumer information has a price tag, and there are countless buyers—marketing companies, election campaigns, and many of the country's unlicensed fintech lenders who run the scam by forcing loans on people unwittingly.

In May, the servers of Indonesia's health and social security agency, BPJS Kesehatan, were compromised. A hacker managed to copy the data 279 million Indonesians—probably most of the country's population plus a few who had already died. Data breaches such as those by BPJS can lead to a myriad of unintended consequences for consumers, from identity theft to credit card fraud. Doddy Darumadi, a lawyer at the law firm Nenggala Aluguro in Jakarta, told KrASIA that he has represented many clients who were aggrieved in cases related to loans. peer-to-peer illegal since 2017.

Every year, the number of cases increases as illegal platforms offering instant loans keep popping up. Many victims are trapped in debts that they cannot pay off. The lenders are generally P2P lenders who obtain user information illegally and then force high-interest loans on them. “Some victims came to me and said they received the money sent from the fintech platform along with the bill. This platform charges high interest in the short term. The problem is that they never applied for or agreed to borrow money from this platform,” Darumadi told KrASIA. The lawyer added that his company handles at least 20 new cases related to illegal lenders every week.

Fintech platforms that operate without proper licenses build their user base by sourcing data from hackers and data brokers, who sell personal information at fairly low prices. A person's credit card details are charged USD 6–20. ID with full name, date of birth, email and mobile number is charged USD 0,5–10. Selfies with supporting documents for visual verification have a higher price tag of USD 40–60, according to date collected by Kaspersky.

Poor cybersecurity is largely to blame for the free flow of personal data in these circles. Most of the breaches in Indonesia only came to light after hackers sold their crops on the hacker community site Raid Forums, which is on the open web. Not long ago, Indonesia's IT Ministry blocked the site, but it's still easy to access with the right tools. Even so, there is a lot of personal information being sold in less visible areas of the internet. A cybersecurity activist with the nickname “Dendi Zuckergates,” who co-founded an online community for IT enthusiasts called Orang Cyber ​​Indonesia, said there were actually more data breaches involving Indonesians than reported in the media.

“After the BPJS case, the servers of several civil registry offices such as Bogor and Bekasi [cities in Indonesia] were hacked, and people were selling datasets containing millions of personal information from those servers on the Raid Forum. Usually, only half of them are real, while the rest are fakes. Hackers do this to push up prices," Zuckergates told KrASIA. “Data purchases typically use cryptocurrencies such as bitcoin, so they are secure and untraceable.”

Indonesia's poor cybersecurity means big business for hackers looting servers for datasets that can be resold to marketing firms, political campaigners and even illegal fintech lenders. Photo by Clint Patterson at Unsplash.

Build a business and win elections with personal data

Like many illicit trades, single practitioners can work together to pool resources and form larger operations. “In addition to hackers or individual sellers, there are also many syndicates that sell personal data. They consist of several members with different occupations. Some are in charge of hacking the system, some are in charge of sales, some are in charge of buying data from several sites for resale, and so on,” said Zuckergates.

Those who buy stolen data can use it for a variety of purposes. Sometimes, personal information is purchased by marketing companies that specialize in spam campaigns; others buy them to increase their success rate when they identify signs of fraud. Sometimes, there is also a political dimension. Leaked data is often bought by agencies in the run-up to elections to reach the public via SMS on behalf of candidates, Zuckergates said.

The IT Ministry has set set of rules regarding the use of text messages by political campaigns. Agencies may not request user identification or information from telecommunications providers or other parties for targeted campaigns. In addition, institutions are prohibited from sending SMS or spam broadcasts during the “quiet week” prior to polling day, even though Indonesia's election watchdog has find a violation.

Nonetheless, illegal fintech platforms appear to be one of the biggest platforms for black market data brokers.

“Illegal [fintech] platforms reach potential victims by sending them messages via SMS or WhatsApp,” Darumadi said. Frauds that may fail in other parts of the world are still innocent victims in some emerging markets such as Indonesia due to generally lower levels of digital and financial literacy. Some people click on a link in the message they receive, which leads to the installation of the app and asks for their personal information. In this way, the platform gains access to victims' information, such as their contact information and salaries. "Debt collectors will intimidate the victim by constantly calling the numbers on the victim's contact list, demanding that they pay the debt harshly, or even threatening to spread the victim's personal data on the internet," the lawyer added.

The Indonesian financial authority OJK continues to urge the public to be careful in choosing fintech platforms, given the large number of applications that operate without permits in the country. As of April 2021, the OJK had blocked 3.198 illegal P2P lenders, but new ones continue to emerge to replace them.

While Darumadi isn't sure how the illegal P2P lenders obtained the contact information of their victims, it didn't take much digging to find the personal data being sold in Indonesia. A Twitter user who uses “pinjollaknat” collected some information and tweets about illegal lenders in the country. There are dozens of brokers who say they have clusters of Indonesian e-national ID data to trade with, making it very easy and cheap for illegal fintech operators to build an illegitimate user base. The next step is to force loans on unknowing individuals, demand high interest payments, and possibly destroy their financial foundation and credit score in the process.

Can this looting be stopped?

The forced loan repayment racket by fintech platforms emerged five years ago and has been on the rise ever since. Many people have complained about this Consumer Media which publishes reports from aggrieved consumers. Here's the truth: when digital assets are spread across multiple platforms, consumers are in a vulnerable position. There is 47 cases of data theft in 2017, according to Indonesian police records. That number increased to 88 cases in 2018 and then to 143 in 2019. Last year, there were at least seven cases of data breaches involving large institutions. These attacks escalated, but little effort was made to turn things around.

The Indonesian House of Representatives is currently reviewing a draft law on the protection of personal data. Even so, the basic laws governing data protection are included in the electronic information and transaction law (UU ITE), which includes penalties for those who steal or share other people's personal data without their consent, such as fintech lenders illegal.

Hackers who access computer systems without permission can be sentenced to eight years in prison and a fine of IDR 800 million (USD 56.000). Meanwhile, those who knowingly distribute digital documents without their owner's permission for the purpose of extortion and intimidation can be jailed for up to six years and fined IDR 1 billion (USD 70.000).

Indonesian cyber police regularly remind the public to be careful in providing personal data to other parties to avoid misuse, such as generating unsolicited loans or even expropriation of personal accounts that hold cash balances. However, as data leaks become commonplace and official investigations do not come up with a solution, citizens are left on their own to prevent or respond to criminal acts. The most effective thing people can do is monitor their accounts and react quickly if they find an unusual cash transfer.

“If you see suspicious activity such as a mysterious transaction, or if you are terrorized by an illegal lender, you can report it to the cyber police for immediate action. Consumers must be extra careful in sending personal data such as e-KTP and selfies on digital platforms," ​​said Darumadi.

While the recent information leak of 279 million people? The Indonesian cyber police and the National Cyber ​​and Encryption Agency are investigating the incident, but looking at references from previous cases, no conclusions will be released any time soon.

-This article was first released by KRASIA. Re-released in Indonesian as part of the collaboration with DailySocial