JAKARTA – A ransomware scare has, once again, rung alarm bells surrounding the state of Indonesia’s digital security, which analysts warn has seen little improvement since the enactment of its Personal Data Protection Law two years ago. Indonesia has been plagued by data breaches, with experts stating authorities have failed to investigate these incidents properly or transparently, leading to public distrust in the government's ability to protect data safety.
Recently, several organizations monitoring online malicious activities, including Falcon Feeds of India and Hack Manac based in Dubai, reported on their X accounts on Wednesday, highlighting a ransomware attack by hacker group Bashe targeting state-owned lender Bank Rakyat Indonesia (BRI). BRI quickly denied these allegations, asserting no data samples came from its database. “We have conducted a thorough check on our system and found no ransomware threat there. A more detailed assessment shows the published data does not originate from BRI’s system,” stated BRI on Thursday evening.
BRI reassured customers via its Instagram account, ensuring their data and funds remain secure, maintaining normal services. “BRI’s IT security system is up to international standards and is regularly updated to confront various potential threats. Proactive measures are taken to protect customer information,” they stated. Pratama Persadha from the Communication and Information System Security Research Center cast doubt on the authenticity of the reported breach, noting the alleged data samples were identical to data available on publicly accessible file-sharing websites.
Bashe had threatened to release unspecified user data if BRI did not pay ransom by December 23, leading to concerns yet unclear about the breach's legitimacy. Bashe is thought to be a splinter group from the notorious LockBit ransomware organization, which previously attacked Bank Syariah Indonesia (BSI) last year, stealing 1.5 terabytes of data and demanding $20 million for its release.
Despite the uncertainties surrounding the recent ransomware incident, experts identify the broader issue of Indonesia's lackluster privacy law implementation. The Personal Data Protection Law came fully operational only this October, after granting data controllers two years to implement safety measures. Still, President Prabowo Subianto has yet to issue regulations for establishing the oversight agency intended to monitor compliance with the law. “Data controllers should have been ready to comply [with the law] by now, yet data breaches keep on happening,” said Wahyudi Djafar from the Institute for Policy Research and Advocacy (Elsam).
He emphasized the necessity of the oversight body, which would provide data controllers with benchmarks and guidelines, ensuring effective safety measures. Second Deputy Communications and Digital Minister Nezar Patria indicated the government has completed drafting the privacy law’s implementing regulations, poised for presidential approval early next year.
Cybersecurity expert Ardi Sutedja criticized the government for stressing punitive measures without offering adequate guidance on law implementation. Current efforts need to pivot toward educating companies about their cybersecurity responsibilities, focusing on the importance of foundational data safety practices.
Across the ocean, Netflix has also been feeling the heat from regulators, witnessing significant enforcement action based on data processing violations. An investigation revealed Netflix's failure to meet European Union GDPR standards across multiple areas, including transparency about data processing legality and retention practices.
The action taken by the AP against Netflix focused on its non-compliance surrounding four key areas: it failed to clarify the purposes and legal grounds for processing customer data, did not specify third parties receiving the data, lacked clear retention periods, and provided inadequate information about international data transfers.
Following the investigation, the AP levied a €4.75 million fine on Netflix, emphasizing the need for transparency and accountability from global companies working with personal data. The AP noted, “Companies with global reach and significant resources must lead by example and assure data transparency. Customers deserve to know precisely how their personal information is managed—especially when they ask for it.”
This action underscored the necessity for clear privacy practices. Post-investigation, Netflix took corrective measures to improve its privacy communication, leading to positive movements within its data processing practices. This case serves as a stark reminder for all companies managing personal information under the GDPR to prioritize clarity, ensuring responses to customer data requests are complete and intelligible.
Meanwhile, the European Data Protection Board (EDPB) has also taken steps to guide tech companies on managing data privacy concerning AI models. Following inquiries from Ireland's Data Protection Commission, the EDPB published guidance on assessing AI anonymity and processing data under legitimate interests without requiring user consent.
EDPB Chair Anu Talus remarked, “AI technologies may bring many opportunities and benefits to different industries, but we need to assure these innovations are accomplished ethically and safely.” To qualify for processing personal data as “anonymous,” the chance of tracing data back to individuals needs to be significantly low and evaluated case-by-case by supervisory authorities.
This newly issued opinion provides measures for AI developers to demonstrate anonymity, including avoiding personal data during model training, utilizing strong technical measures to prevent re-identification, and conducting regular risk assessments. Importantly, organizations advocating for innovative AI approaches face criticism surrounding potential risks impacting privacy and discrimination.
Collectively, these developments reflect the growing scrutiny around data privacy regulations. Global companies are urged not to be complacent about compliance as regulators consistently advocate for upholding consumer protection standards. From Indonesia’s lacking enforcement of data protection measures to Netflix's recent penalties under GDPR, the spotlight remains on safeguarding digital privacy across industries.