Jakarta, IO – Pseudonymous hacker Bjorka is back in the spotlight. The self-proclaimed “hacktivist” has rattled Indonesia’s cybersecurity establishment by regularly flaunting on his blog snippets of the millions of the personal data files he has managed to steal, by successfully breaching into government databases.
These include 26 million browsing histories of IndiHome customers, 1.3 billion SIM card registration data, 679,000 letters relating to President Jokowi, 105 million documents from the General Elections Commission (KPU), 45 million from MyPertamina app, 3.2 billion from PeduliLindungi contact tracing app, 19 billion from BPJS Ketenagakerjaan, 35 million from myIndiHome app and, as recently as last week, 34 million passport info on Indonesian citizens from the Immigration Directorate General.
He shared 1 million of these, to prove that he was the perpetrator. The 4GB of uncompressed file was offered at a price of US$10,000 (Rp150 million) to interested buyers. The data has been proven to be genuine because one particular example is the author’s old passport, one that expired in 2011. Furthermore, it had the NIKIM number, a secure digital identity which can only be read by a special NIKIM reader and is only held by the Immigration DG.
Some controversially suggested that the data structure in the sample file is different from those possessed by the immigration agency. This could happen because when hackers download data from a database, which is commonly dubbed “database dump”, there are many fields that hackers deemed unimportant and thus removed so only important data gets displayed.
The CSV file format used in the shared sample data may be deliberately chosen by the hacker because it is easier to read, instead of db-dump, which contains a lot of unnecessary table parameters. In spreading the sample data, the main goal of the hacker is to use it as a campaign tool so that only important data is displayed, in an easy-to-read format. At this time, it cannot be ascertained whether the leak actually came from the Immigration DG’s server or Bjorka accessed it from other data leaks.
Inherent vulnerability gap?
As we all know, there is no security system that can provide 100 percent protection to the system. Cyberattacks have grown more sophisticated and there have been many “mutations” of malware in circulation which make them difficult to detect. Complicating the problem, there are many hacktivists who specifically target vulnerabilities in organizations’ IT systems. But, of course, data leaks can generally be prevented.
The cybersecurity awareness of institutions and companies in Indonesia is actually quite good, because they already use surveillance tools and safeguards to prevent potential cyberattacks. What needs to be done is education for employees, because it often their negligence and complacency that compromise the security of the system and inadvertently open the door to malicious attacks.
Cyberattacks are not always due to weak IT security systems, because there are many entry points that can be exploited by hackers to compromise a target system, such as phishing, social engineering, infected USB or external storage, etc.
If we look at cybersecurity systems, we can’t just focus on the infrastructure and devices, but must also consider other aspects, such as whether an organization has BCM (Business Continuity Management) and regularly conducts simulations of Standard Operating Procedure (SOP), such as backup and recovery processes, so that if there is a service interruption, either due to a cyberattack or corrupted device, recovery can be carried out immediately to ensure uninterruptible service.
Employee training on cybersecurity aspects is also a critical point for an organization, because it is not uncommon for cyber-attacks to be facilitated when an employee’s PC/laptop is hacked or through phishing attacks.