Tracking Customer Data Leaks on Indonesian Digital Platforms

The last few years there has been at least one sizable hacking incident that has appeared almost every year. A few days ago there were Tokopedia and Bhinneka. Last year there was Bukalapak. There is also a gap found in Gojek which exposed the data of its users several years ago.

These events certainly make many people ask what is wrong with the security of internet companies in Indonesia. This series of incidents has also become the right moment for digital platforms in the country to look back on what they have done in securing user data.

Tokopedia Incident

An email from Tokopedia on behalf of Founder & CEO William Tanuwijaya landed in the e-mail box of Tokopedia users on May 12, 2020 or about 10 days when the data breach on Tokopedia was revealed to the public. The letter contained more or less William's words to reassure users that they had taken the necessary steps to resolve the data theft case.

The letter from William is not surprising because the level of gravity that occurred was of that magnitude. Data from about 91 million users was illegally sold by the hackers who stole it. The data consists of full name, email address, phone number, date of birth, until the lucky password is still protected (hashed).

"We understand that this incident has caused inconvenience to all users. Therefore, we would like to express our deepest gratitude to all Tokopedia users for your continuous support for us in the midst of this challenge," concluded William in the letter. .

The time span from the disclosure of the data theft to William's letter took 10 days. They mobilized internal and external teams and collaborated with the National Cyber ​​and Crypto Agency (BSSN) to investigate this case. However, until now there has been no further news about the investigation into the ears of users.

Tracking Cause

A possible cause of the Tokopedia case came to the surface from the mouth of Teguh Aprianto, founder and general chairman of Ethical Hacker Indonesia. In his interview with Nathaniel Rayestu at Voice Assumption a few days ago, Teguh mentioned the program bug bounty which was not taken seriously by Tokopedia as the cause of the data breach there.

Program bug bounty is a kind of contest that invites security researchers to compete to find and find bugs in websites, software, or applications. Most major internet companies in Indonesia have this program.

However, in the case of Tokopedia, Teguh said the e-commerce company was not loyal to the program bug bounty that they make. This happened because when a bug discovery report was sent, Tokopedia said their internal team had found it first.

"For example today gue report to Tokopedia, later a few days later there will be a reply from Tokopedia that says 'we have found it internally'. If it has been found internally, it has not been resolved for months. And this happened again and again. The mechanism they use is unclear, there is no transparency," said Teguh.

Teguh said that the data theft case at Tokopedia had happened once before. Since that first incident, he and the community hunter bugs already predicted there was a time bomb that could potentially have a similar impact. The cause in the Tokopedia case is said to be no different from the Bukalapak case that emerged last year.

"Tokopedia and Bukalapak are two" company who runs the program bug bounty. But the problem company this has beenblacklist by researchers or hunter bugs because the incoming reports are not handled professionally," he added.

We contacted Tokopedia and Bukalapak to find out more about the cause of the data leak that happened to them. As a result, Tokopedia refused to comment. Meanwhile, Bukalapak admitted that they did not know that anyone had blacklisted them for bug bounty matters.

"We were not aware of any blacklist on the program bug bounty any commercial. We have a program bug bounty with an extraordinary level of participation that helps us improve the security of the platform," Bukalapak Head of Corporate Communication Intan Wibisono wrote to DailySocial.

We spoke further with Girindro Pringgo Digdo, CEO of CyberArmyID, a cybersecurity company that connects hunter bugs with companies or organizations in need. From his experience, Girindro said that there is indeed a dilemma that is often faced by hunter bugs in the program bug bounty.

The dilemma that Girindro is referring to, is in line with Teguh's previous narration, the result of his work hunter bugs already claimed to have been found internally by the company first. Girindro emphasized that this had happened many times. The case of the findings is duplication or not, according to Girindro, it is the decision of the Sang hunter bugs.

"If hunter bugs dissatisfied with the findings called duplicates continue, I think it's better to play elsewhere. You don't have to go to that place anymore," explained Girindro.

However, Girindro admits, based on his experience, quite a lot of applications belonging to local companies have many loopholes that make them vulnerable to exploitation. This, according to Girindro, is sufficient reason for all entities in Indonesia to prepare aspects of human resources, policy procedures, and technology to secure their user data.

"When it comes to security, especially those with high assets, security should not be a burden, but a business priority," he said.

Once again, we need the PDP Law

If there is one thing that the government and people's representatives in parliament need to do in responding to the series of data breach cases in our internet companies, it is speed up validationPersonal Data Protection Bill as law.

Every time there is a data theft case, the user who has been harmed seems to have the power to sue data security which they mandate to digital service providers.

Based on the draft as of December 2019, the PDP Bill contains 72 articles and 15 chapters governing the definition of personal data, types, ownership rights, processing, exceptions, controllers and processors, delivery, authorized institutions that regulate personal data, and dispute resolution. In addition, it regulates international cooperation to sanctions imposed for misuse of personal data.

When the regulation becomes law, the power of the public as consumers and citizens over their data will be stronger than before.

"Reflections on the implementation of digital law need to be taken into consideration in determining the appropriate legal sanctions for those who violate personal data," said SAFEnet Executive Director Damar Juniarto some time ago.

Meanwhile, Teguh added that there is indeed an aspect of public education that must go hand in hand with the legislative process of the PDP Bill. However, he stressed that in the current situation the PDP Bill is more needed.

"Compared to the two, according to" gue more need the PDP Law because awareness The public needs more time," concluded Teguh.