Cyber Incident Victim: PT JASAMARGA TOLLROAD OPERATOR
Date:
Aug 2022
Location:
Indonesia
Summary
A major Indonesian toll road operator experienced a cyberattack by the group DESORDEN, involving unauthorized access to 252 GB of data from five servers. The compromised information reportedly included user, customer, employee, corporate, and financial data, though the company asserted no customer data from its dedicated application was affected. Following the breach, the operator disabled impacted servers, initiated data recovery efforts, and migrated systems to more secure infrastructure while addressing vulnerabilities. DESORDEN later confirmed their exfiltrated data contained only corporate and employee information after review, but emphasized persistent security weaknesses in the operator's broader network. No ransomware was deployed during the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 1, 2022, the hacker group DESORDEN infiltrated the network of PT JASAMARGA TOLLROAD OPERATOR (JMTO), Indonesia’s largest tollway operator. The breach involved unauthorized access to five servers containing approximately 252 GB of data, including internal corporate documents, financial records, employee information, and user data. DESORDEN publicly disclosed the attack on August 23 by posting proof of compromise—including sample files and server directory screenshots—on a hacking forum while simultaneously alerting cybersecurity news outlet DataBreaches.net. The threat actor claimed the stolen data encompassed customer information from JMTO’s systems, though they later clarified no ransomware was deployed during the intrusion. JMTO’s corporate website became intermittently inaccessible during this period, with connection attempts timing out or failing to resolve domain names.
JMTO formally responded to the breach on August 25, 2022, through corporate communications representative Lisye Octaviana. The company asserted that compromised data consisted exclusively of internal corporate and employee information, denying any exposure of customer data from the JMTO mobile application. Immediate containment measures included disabling affected servers, initiating data recovery processes, migrating systems to more secure infrastructure, and engaging cybersecurity experts to assess vulnerabilities. DESORDEN countered JMTO’s customer data denial by announcing a multi-day review of the exfiltrated data archive, while simultaneously revealing they retained access to JMTO’s broader network—including the jasamarga.com domain—through unpatched vulnerabilities despite JMTO having remediated two entry points. By September 13, DESORDEN completed their analysis and corroborated JMTO’s claim, confirming the absence of customer app data in the stolen corpus but reiterating the presence of sensitive corporate and employee records. The group announced intentions to sell the exfiltrated data following their verification process, while JMTO continued system restoration and vulnerability mitigation efforts.