Indonesia’s tax agency has suffered a massive data breach that leaked the government-issued and personal information of 6 million taxpayers, including the country’s president, Joko ‘Jokowi’ Widodo, his close family members, and high-profile government officials.
Boasting the largest archipelago and with a population of 275 million people, Indonesia is the world’s fourth most populous country and the third-largest democracy since the fall of the authoritarian government in 1998.
However, the Southeast Asian nation grapples with numerous data breaches affecting over 280 government agencies, raising concerns about the country’s state of cybersecurity.
Publicized on X (formerly Twitter) the DJP data leak surfaced after a threat actor known as ‘Bjorka’ listed the stolen information for sale on a cybercrime marketplace BreachForums for $10,000, equivalent to 150 million Rupiah in local currency.
Indonesia’s tax agency data breach affects prominent individuals
Besides President Widodo, other prominent individuals impacted include Jokowi’s two sons Kaesang Pangarep and VP-elect Gibran Rakabuming Raka.
The threat actor also alleges the data breach impacted Finance Minister, Sri Mulyani Indrawati, Communications and Informatics Minister, Budi Arie Setiadi, and Minister of State-Owned Enterprises (SOEs), Erick Thohir.
Muhadjir Effendy, the Coordinating Minister for Human Development and Cultural Affairs, Yaqut Cholil Qoumas, the Religious Affairs Minister, Zulkifli Hasan, the Trade Minister, and Airlangga Hartarto, the Coordinating Minister for Economic Affairs, were also victims of the Indonesian tax agency data breach.
The threat actor says the data breach leaked Indonesian taxpayer identification numbers (NPWP), national identification numbers (NIK), email addresses, phone numbers, and other personally identifiable information.
Dwi Astuti, Indonesia tax agency’s Director of Public Relations, said the DJP is investigating the data breach to ascertain the scope of the cyber incident: “Regarding the circulating information on the NPWP data leak, our technical team is currently conducting an in-depth investigation.”
As yet, the tax agency has not confirmed the nature of the information leaked and the number of individuals affected pending a full investigation.
For now, it remains unclear if the data breach exposed individual tax returns, including those of government officials, which is usually politically significant.
As to why the data breach only impacted 6 million out of Indonesia’s 45.43 million registered individual taxpayers, is also a mystery.
Potentially impacted taxpayers have, nevertheless, been advised to remain vigilant for potential phishing attacks, as cybercriminals could impersonate tax officials to extort them by claiming they have tax arrears.
Armed with accurate taxpayer information, they could demand payment to amend the victims’ tax returns to spare them from impending tax problems.
In addition, they could intimidate impacted individuals into disclosing sensitive personal and financial information, such as credit card numbers and bank account details for fraud.
So far, the threat actor has not disclosed how they breached Indonesia’s tax agency, although the country’s institutions have become easy targets for cybercriminals.
However, Indonesia’s revenue service has not reported any system disruptions, thus ruling out a ransomware attack.
Nevertheless, ransomware attacks that skip the encryption step and solely capitalize on stolen data for extortion are not uncommon.
Target for cyber attacks
As the third-lowest ranking country among G-20 countries on cybersecurity, Indonesia has suffered numerous breaches that have compromised over 144 million accounts and impacted government agencies and public and private organizations.
On June 20, 2024, Indonesia National Data Center suffered a ransomware attack that disrupted government services across 300 national and state agencies, including transport and immigration.
Cyber attacks have also raised political temperatures in Jakarta, resulting in calls for the resignation of the “giveaway” Minister of Communications.
Critics accuse Setiadi of being a political appointee lacking the necessary technical skills to defend the country’s cyberspace. The government’s commitment to transparency regarding cyber attacks has also come into question.
