Cyber Incident Victim: Bank Syariah Indonesia
Date:
May 2023
Location:
Indonesia
Summary
The LockBit ransomware group stole 1.5 terabytes of personal and financial data from Bank Syariah Indonesia, impacting approximately 15 million customers and employees. The attack caused significant service disruptions, forcing the bank to take several channels offline. After ransom negotiations broke down, the group publicly leaked the data and accused the bank of initially mischaracterizing the outages as maintenance. Indonesian authorities were notified and involved in the investigation and restoration of services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 8, 2023, Bank Syariah Indonesia began experiencing significant service disruptions. The state-owned bank, which is Indonesia's largest Islamic bank and was formed in 2021 through a merger of three other banks, characterized these initial disruptions publicly as being the result of maintenance. BSI President and CEO Hery Gunardi stated the disruptions occurred due to the bank carrying out "risk mitigation in the company's IT system by carrying out maintenance." This public explanation was issued on May 11th. However, the bank also internally found indications of a cyberattack and, in response, "switched off several channels to ensure system security." The specific channels affected were not detailed initially, but the action was a containment measure taken to protect the wider system integrity.
The incident was quickly recognized as serious by Indonesian authorities. The Communication and Informatics Ministry announced on May 8th that it was seeking details and clarifying the specifics of the cyberattack experienced by BSI. This action was prompted by the ministry receiving a report concerning allegations of a data leak during the cyber incident. The ministry's Application and Informatics Director General, Semuel Abrijani Pangerapan, stated that if a gap was found in BSI's system and the data leak was confirmed, the ministry would provide recommendations to fix the system to prevent recurrence. The bank also coordinated with key national stakeholders for investigation and support, including the Financial Services Authority (OJK), Bank Indonesia (the central bank), and the National Cyber and Crypto Agency (BSSN).
The true nature and severity of the event became clear when the LockBit ransomware group claimed responsibility for the attack. LockBit contradicted the bank's public statements, asserting that the bank had "brazenly lied to their customers and partners, reporting some kind of 'technical work'" when the service interruptions were in fact the direct result of its cyberattack. The group engaged in negotiations with bank representatives between May 8 and May 13, as revealed through screenshots of conversations they later published. During these negotiations, the bank floated the possibility of paying a $10 million ransom to recover the stolen data. LockBit countered with a demand for $20 million before eventually going silent, indicating the negotiations had broken down without an agreement.
Following the collapse of ransom negotiations, the LockBit group followed through on its threat. On May 16, 2023, the group published approximately 1.5 terabytes of data it claimed to have exfiltrated from Bank Syariah Indonesia. LockBit stated this vast trove of data contained the personal and financial information of about 15 million customers and employees of the bank. The publication of this data confirmed the data breach allegations that the Communication and Informatics Ministry had been investigating.
The impact of the attack was substantial, disrupting core banking services for a significant period. BSI operates more than 1,100 branches and serves nearly 18 million customers. The attack disrupted its real-time gross settlement, national clearing system, and Bank Indonesia Fast Payment services. By May 11th, President and CEO Hery Gunardi reported that ATMs and bank branch services had been restored and that the institution was carrying out "capacity building" to fully restore core banking and other critical channels. The restoration efforts were conducted under the supervision of Bank Indonesia, the country's central bank, which confirmed on May 18th that these critical payment services had been restored.
The incident drew high-level political attention within Indonesia. Indonesian Vice President Ma'ruf Amin stated on May 15th that the BSI incident was a bad experience for the public and he asked the bank to improve its technology to prevent further attacks. This public commentary from a senior government official underscored the seriousness with which the incident was viewed at the national level and its impact on public confidence.
The response and investigation into the breach were also framed within the context of Indonesia's evolving legal landscape for data protection. The Ministry of Communication and Informatics noted that its involvement in handling the BSI cyberattack was part of the transition toward the implementation of Law No. 27 of 2022 on Personal Data Protection (PDP), which was set to become fully applicable in 2024. During this transition period, the ministry remained responsible for handling cyberattack cases related to data leaks. Director General Pangerapan explained that after 2024, a special institution would be appointed to enforce the law in similar cases, and penalties would be applied under supporting government regulations, marking a shift from the ministry's current role.