A recent data breach case involving fintech aggregator platform Cermati.com, the fifth known this year, again highlights the vulnerability of user data on digital platforms and the urgency of a personal data protection bill, experts have said.
Data on almost 3 million users from fintech aggregator platform Cermati.com was leaked and sold online for US$2,200 on Oct. 28, as reported by cybersecurity researcher and consultant Teguh Aprianto via his Twitter account @secgron on Sunday.
The leaked data includes names, addresses, bank accounts, emails, mother’s maiden names, tax numbers (NPWP) and passwords, he said. Cermati.com confirmed the illegal access of their system, although it did not specify the user data that was compromised.
Communication and Information System Security Research Center (CISSReC) chairman Pratama Persadha said the marketplace is a frequent target of cyberattacks because it hosts financial data such as credit card numbers, which can be sold for a high price on the internet.
“The string of attack that we are seeing is a sign of how important the personal data protection law is,” he said in a statement on Tuesday.
The House of Representatives is planning to conclude deliberations on the personal data protection bill in November, a delay from its initial target of October.
The personal data protection bill, a draft of which has been assessed by the ministry since 2014, reportedly adopted several principles and aspects of the European Union’s General Data Protection Regulation (GDPR), which focuses on five main areas: data collection, data processing, data security, data breach and the right for individuals to have their personal data erased.
Indonesia is lagging behind much of the world in terms of data protection, with numerous countries having already adopted their own version of the GDPR, including neighboring Singapore and Malaysia.
The National Cyber and Encryption Agency (BSSN) previously revealed that Indonesia recorded more than 88 million cyberattacks during the first four months of the year, with March seeing the highest average of daily attacks.
Cermati.com is the second fintech platform to experience a data breach this year after around 890,000 Kreditplus users’ data was leaked in August. Three Indonesian e-commerce platforms, namely Bhinneka.com, Bukalapak and Tokopedia, also reportedly experienced data breaches that stole their customers’ details in May, which were then sold on the dark web.
Pratama said the data protection law can oblige digital companies to implement cybersecurity standards, as well as setting a clear regulation on companies’ obligations when a data breach occurs.
“Without such a regulation, when customers become the victim of a data breach, they can only trust the platform to fix the issue. This is where the government must step in to pass the personal data protection bill,” he said.
Meanwhile, cybersecurity firm IntSights chief security officer Etay Moar said data stolen from an aggregator such as Cermati.com can be used to target other platforms in their database as well as to conduct social engineering scams.
For example, after obtaining a user’s name, phone number and credit card information, the criminal could pretend to be a bank representative to get the user to offer more sensitive information, such as passwords.
“Security is a shared responsibility. Companies should offer more security measures and users need to want to consume it,” he said in an interview on Wednesday, adding that users can choose to work with platforms that allow two-step or mobile authentication for added security.
Moar also pointed out that because cyberattacks are on the increase during the pandemic, the damages from cybercrimes are predicted to reach $6 trillion by 2021.
Cermati is registered at Bank Indonesia (BI) as a fintech platform under PT Dwi Cermat Indonesia. It is also a member of the Financial Authority (OJK) Digital Financial Innovation (IKD) sandbox program.
OJK spokeswoman Sekar Putih Djarot told The Jakarta Post on Tuesday that the platform was still being reviewed for a license or permit.
“We have asked Cermati.com to make an incident response and immediately fix its security system. We will monitor their progress as part of a feasibility evaluation on whether it can proceed to the next stage or not,” she said.
Sekar also encouraged users to report losses caused by financial service providers registered with the OJK as the agency can penalize them or revoke their licenses.
“However, it is important that the personal data protection bill be passed soon, as it can further protect users’ data,” she added.
Cermati.com founder Andhy Koesnandar said the company was partnering with the BSSN to investigate the issue. The company will also work with independent data security consultants to improve its cybersecurity.
“We have taken corrective measures and step to increase our security system,” Andhy said on Oct. 31 as reported by kompas.com.