Jakarta city skyline showing data breach of Indonesian passports

34 million Indonesian Passports Exposed in a Massive Immigration Directorate Data Breach

Over 34 million Indonesian passports were leaked in a massive data breach impacting the country’s Immigration Directorate General at the Ministry of Law and Human Rights.

Cybersecurity researcher and founder of Ethical Hacker Indonesia, Teguh Aprianto, disclosed the breach on his Twitter account @secgron, attributing the attack to a hacktivist identified as Bjorka.

Indonesian authorities are investigating the breach while the threat actor has offered the treasure trove for sale on his data leak site.

Immigration data breach exposed PII from leaked Indonesian passports

The security researcher posted a screenshot of the allegedly stolen 4GB of passport data, currently selling for $10,000.

“The hackers also provided 1 million data samples which appear to be valid. The timestamp is from the 2009-2020 period,” Teguh said.

The exposed data includes full names, passport numbers, dates of issue, expiry dates, dates of birth, and gender of 34.9 million Indonesian passport holders.

Indonesia’s Ministry of Communications and Information Technology has confirmed being notified of the alleged data leak.

The ministry was coordinating with the National Cyber and Encryption Agency (BSSN) and the Director General of Immigration while investigating the alleged exposure of Indonesian passports.

However, the Information and Public Communication Director General Usman Kansong claimed the allegedly leaked Indonesian passports’ data structurally differed from the information stored at the Ministry of Communication and Informatics National Data Center.

Meanwhile, the communication ministry urged all data processors to comply with the provisions of the Personal Data Protection (PDP) law passed in October 2022 and enhance the security of their information systems to prevent similar data leaks.

The PDP law grants individuals more control over their personal information and demands compliance from data controllers.

If confirmed, the Indonesian passports data breach exposes the victims to various forms of identity theft.

“The biggest real-world consequence of a breach like this is identity theft,” said Andrew Whaley, Senior Technical Director at Promon. “With passport data being sold on the black market, this could lead to many of the sufferers of this breach finding that criminals have fabricated counterfeit travel documents or even opened bank accounts in their name.”

Holders of Indonesian passports could pay a price for the alleged data breach stemming from the government’s failure to protect sensitive information.

“What’s worse, the citizens of Indonesia will now have to pay the price for the ensuing wave of scams and fraud that always follow these kinds of breaches, especially when highly sensitive documents like passports are involved,” noted Whaley.

History of data breaches in Indonesia

Indonesia has been the target of several cyber attacks, raising concerns about the country’s cyber security posture, currently ranking 84th, according to the National Cyber Security Index (NCSI).

The country has recorded over 90 data breaches in four years, with a third stemming from government organizations. According to the Head of BSSN, Hinsa Siburian, Indonesia’s data theft intensity was “actually low.”

“It’s been shown time and time again that the APAC region is most at risk of cyberattacks,” Whaley added. “Governments in this region are always the first to claim that security is the highest priority, yet incidents like this show that this is not always the case.”

In May 2023, LockBit ransomware claimed to have stolen 1.5 terabytes of data from the country’s Bank Syariah Indonesia (BSI).

Similarly, the hacktivist behind the Indonesian passports data breach leaked the personal information of President Joko Widodo and his officials, protesting against the country’s poor administration. The hacktivist is suspected to be responsible for at least 10 data breaches.

Other notable cybersecurity incidents in Indonesia include the KPU leaks, Indihome, Tokopedia, Jasa Marga, MyPertamina, and PLN customer data breaches.

At least 100 million Indonesians out of the country’s 273 million citizens have their personal information exposed in one of the numerous data breaches.