Therefore, even though a cybersecurity system is already the latest and most sophisticated, if cybersecurity education for employees is insufficient, the overall system is still deemed weak and unprotected, because the vulnerability gap remains.
Oftentimes, cyberattacks do not go through servers, because they can be easily detected and countered by cybersecurity monitoring systems – such as firewalls, IDS and IPS. That is why cyberattacks often target employee’s PC/laptops whether by luring them to download a file or application infected with malware or through compromised portable storage devices.
The Immigration Director General has yet to provide an official statement on the data leak. The agency only said that their data center uses a National Data Center (PDN) facility, which is also accessed by ministries/agencies, regional governments and village administrations.
PDN is a centralized data storage facility initiated by the Directorate General of Informatics Application (Aptika) through the Directorate of Government Informatics Applications Services. This is governed by Presidential Regulation 95/2018. The Government plans to establish PDN in four locations – Cikarang, Batam, Nusantara Capital City and Labuan Bajo. Since they are still in a developmental stage, a temporary PDN is being used, in collaboration with Telkom Indonesia.
With a centralized PDN, each institution does not need to create their own data center, because it will lead to interoperability issues and difficulty in maintaining cybersecurity, as there are many data centers that need to be monitored. Even though it has its own advantages, PDN also has drawbacks, because centralizing data in one location will make it easier for hackers to carry out data theft, just by hacking one device that has access to the data centers.
Losses incurred in a data breach
Data leak is of course very dangerous for the people whose data is stolen, because their personal data can be used by shady actors to commit crimes such as fraud, either direct fraud against the owner of the data or indirectly by masquerading as the person whose data has been stolen, to defraud other people. What is even more dangerous is if the personal data is used to create fake identities, which are then used to commit acts of terrorism, so that the parties and families whose personal data are used will be accused of being terrorists or their henchmen.
Data leaks can also be detrimental to the government, because if the source of the leak is claimed to come from a government agency, the Government’s credibility will be ruined. This of course will tarnish the government’s reputation in the eyes of the Indonesian people and the international community. The government will be deemed incompetent, unable to even provide security for its own institutions, even though it is backed by powerful authorities such as the National Cyber and Encryption Agency (BSSN), State Intelligence Agency (BIN) and the Ministry of Communications and Information Technology (Kominfo).
PDP Law not effective?
In light of the frequent leaks of personal data, the government must be more serious in implementing Personal Data Protection (PDP) law and regulations. Parties that must be held accountable include companies as data controllers or processors, as well as cybercriminals who illegally disseminate personal data to the public. For parties domiciled in Indonesia, PDP Law article 57 can be used to charge and prosecute them.
The PDP Law is not ineffective, but it cannot be implemented optimally due to several constraints. It was ratified in 2022 and immediately took effect when it was promulgated, but the House and the government still allow a transitional period of two years, as stipulated in article 74, for all parties to start adjusting their internal policies in accordance with stipulations contained in the law, including to recruit a “data protection officer.”
However, violations against the law committed during the transitional period can already be punished, in accordance with article 76, which states that the law applies from the date of its promulgation, although administrative sanctions still have to wait for its implementing regulations to be issued. This is of course different from Law 1/2023 on Penal Code, where Article 624 stipulates that the law shall come into force three years from the date of its promulgation.
It’s just that these sanctions can only be imposed by an institution or commission formed by the Government, in this case the President. Thus, if the PDP commission is not formed immediately, the violations committed will not be subject to sanctions. October 2024 is the deadline for full implementation of the PDP Law, but it should be sooner if the Government has formed the mandated institution and enacted its implementing regulations.