Cyber Incident Victim: Immigration Directorate General

On or around July 1, 2023, a significant data breach was disclosed, impacting Indonesia’s Immigration Directorate General, which operates under the Ministry of Law and Human Rights. The incident involved the exposure of highly sensitive personal information belonging to over 34 million Indonesian passport holders. Cybersecurity researcher Teguh Aprianto, the founder of Ethical Hacker Indonesia, publicly revealed the breach through his Twitter account, @secgron. According to his disclosure, the attack was attributed to a hacktivist individual known online as Bjorka. The threat actor was offering the entire stolen dataset for sale on a dedicated data leak site, with an asking price of ten thousand dollars for the complete collection of information.

The stolen data constituted a substantial 4GB file containing passport details for approximately 34.9 million individuals. The information exposed was comprehensive and included critical personally identifiable information such as the full names of passport holders, their unique passport numbers, and the specific dates those passports were issued. Furthermore, the data set contained the expiry dates for these travel documents, the dates of birth for all affected individuals, and their gender. A sample of one million records was provided by the threat actor to potential buyers as proof of the data's validity, and an analysis of this sample indicated the information pertained to passports issued over an eleven-year period, from 2009 to 2020.

Following the public disclosure of the breach, Indonesian authorities initiated an investigation into the incident. The Ministry of Communications and Information Technology confirmed it had been notified of the alleged data leak and was coordinating its response with other national bodies, including the National Cyber and Encryption Agency (BSSN) and the Director General of Immigration. However, an official from the ministry, Information and Public Communication Director General Usman Kansong, publicly cast doubt on the breach's authenticity by claiming the structure of the allegedly leaked data differed from the information stored at the Ministry of Communication and Informatics National Data Center. Despite this initial statement, the communication ministry used the event to urge all data processors across the country to enhance the security of their information systems and to strictly comply with the provisions of the Personal Data Protection (PDP) law, which had been passed in October 2022.

The potential consequences of this data breach are severe for the millions of affected Indonesian citizens. Cybersecurity experts have highlighted the significant risk of identity theft stemming from the exposure of such detailed passport information. With this data being sold on the black market, criminals could fabricate counterfeit travel documents or use the stolen identities to open bank accounts fraudulently in the victims' names. The citizens of Indonesia may consequently face a prolonged period of dealing with scams and financial fraud, effectively paying the price for the failure to protect their sensitive information. This incident underscores the critical value of passport data and the grave real-world implications when it falls into the hands of malicious actors.

This event is not an isolated occurrence but rather part of a broader pattern of cybersecurity challenges within Indonesia. The country has been the target of numerous cyber attacks, raising serious concerns about its overall cyber security posture. According to the National Cyber Security Index (NCSI), Indonesia currently ranks 84th globally. Over the past four years, the nation has recorded more than 90 distinct data breaches, with a significant proportion, approximately one-third, originating from government organizations. This particular breach involving the Immigration Directorate General adds to a growing list of major cybersecurity incidents that have impacted Indonesian institutions and their citizens.

The hacktivist Bjorka, who is allegedly responsible for this passport data breach, has been linked to other high-profile cyber incidents in Indonesia. Prior to this attack, the same individual had leaked the personal information of President Joko Widodo and several other government officials, an act that was reportedly done as a form of protest against the country's perceived poor administration. This threat actor is suspected of being responsible for at least ten separate data breaches, indicating a persistent and focused campaign against Indonesian targets. Other notable cybersecurity incidents that have affected Indonesia include major data breaches at KPU, Indihome, Tokopedia, Jasa Marga, MyPertamina, and PLN, which collectively have exposed the customer data and personal information of millions.

The cumulative impact of these repeated breaches is staggering. It is estimated that the personal information of at least one hundred million Indonesians, out of the country's total population of 273 million citizens, has been exposed in one or more of these numerous data leaks. This represents a substantial portion of the national populace and illustrates the scale of the cybersecurity challenge facing the nation. Despite the frequency of these events, the Head of the National Cyber and Encryption Agency (BSSN), Hinsa Siburian, has previously characterized Indonesia's data theft intensity as being "actually low," a statement that stands in stark contrast to the empirical evidence provided by the sheer volume of recorded incidents and the number of citizens affected.

The breach of the Immigration Directorate General serves as a potent example of the ongoing cyber threats faced by governments in the Asia-Pacific region. Experts have noted that this region is particularly at risk of cyberattacks, often citing a disparity between the stated priority of security by governments and the actual implementation of robust protective measures. The sale of a national passport database on the black market for a mere ten thousand dollars highlights the economic incentives for threat actors and the relatively low cost at which the sensitive data of millions of citizens is valued by criminals. The incident continues to be investigated by Indonesian authorities as they work to confirm the full scope of the breach and mitigate its effects on the populace.