Corrective measures
What the government needs to do as soon as possible is for the President to form a supervisory PDP Commission, in accordance with the mandate of the PDP Law (article 58-60). The Commission will report directly to the president; it has the power and authority to effectively enforce the law. Sanctions (administrative and legal) can be imposed immediately, in the hope that entities which collect and store personal data will pay more attention to its security. This way data breach cases can be properly resolved and the public can feel more assured of confidentiality.
The Government should also openly announce the results of the investigation to the public, so that people can immediately know the source of the leak, and thus be assured that a similar data leak will not occur again. This is because hackers often leave a hidden pathway that they can use to reaccess a system that they have hacked before.
What needs to be done by the institution as the data manager is to immediately conduct a thorough security system audit and digital forensics to figure out the source of the leak and what method a hacker has used to get into the system and extract valuable data. Several audit methods that can be carried out include assessing the vulnerability of the system, checking the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) to check whether there is unauthorized access.
An audit of employee devices that have access to the core system also needs to be carried out, to ensure that these devices are not used by hackers to gain access into the core system. In connection with the recent breach, the Immigration DG can also collaborate with the BSSN, BIN and Kominfo to jointly carry out system audits and digital forensics.
The role of corporations
There are several things that corporations need to do to increase public trust. One is by ensuring that their security monitoring system that can detect suspicious activity or cyberthreats is working properly, using a multi-layered security approach, by combining various technologies and security methods, implementing BCM (Business Continuity Management) and always simulating procedures in BCM repeatedly. Equally important: they have to regularly assess vulnerabilities and cybersecurity gaps of their systems. This will prevent costly system downtime, which can take several days to fix.
However, if a corporation, as the data manager, has suffered a cyber-attack and data breach, it needs to immediately conduct a security system audit and digital forensics to find out where the source of the leak came from and what method the hacker used to gain access into the system. Several audit methods that can be carried out include assessing the vulnerability of the system, checking the IDS and IPS devices to investigate whether there is unknown access in the system.
An audit of employee devices that have access to the core system ensures that these devices are not compromised and used as point of entry to steal data. They can also reach out and enlist the help of BSSN, BIN and Kominfo to perform system audits and digital forensics.
If a government institution or corporation experiences a ransomware attack, negotiating with hackers is not the right thing to do, because it is not certain that we will actually get the key to open the encrypted file. In addition, there is no guarantee that the files and data will not be shared or even sold on the dark web, plus ransom payments will further embolden and incentivize the ransomware syndicate to continue carrying out their cyberattacks on other targets, including companies in the Vital Information Infrastructure (VII) category such as power, telecommunications, banking, etc.