35M Indonesians' Passport Data for Sale on Dark Web for $10KResearcher Suspects Hack, Data Leak Done by Notorious Indonesian Hacktivist Bjorka
The personal information of nearly 35 million Indonesian passport holders is up for sale on the dark web for $10,000 by notorious hacktivist Bjorka, who routinely criticizes the Indonesian government, publishing damaging information about lawmakers on social media. The government is investigating a possible breach of the Directorate General of Immigration's network.
Indonesian security researcher Teguh Aprianto revealed in a Twitter thread on Wednesday that a hacker had put up for sale Indonesian passport holders' details including their full name, birthdate, gender, passport numbers and passport validity dates.
Aprianto said the threat actor shared a sample of 1 million data records as proof that the records were genuine. The threat actor's post said the 4-gigabyte data dump is available to purchase for $10,000.
"When viewed from the sample data provided, the data looks valid," Aprianto tweeted. "The timestamp is from 2009-2020."
Indonesia's Ministry of Communication and Informatics, known as Kominfo, on Thursday said it is investigating reports of the alleged theft of the personal information of 34.9 million Indonesians. Director-General of Informatics Applications Semuel A. Pangerapan said the ministry "had not been able to conclude that there had been a massive leak of personal data as suspected."
Pangerapan said Kominfo will conduct an in-depth investigation into the reported data leak and publish its findings as soon as possible. The ministry is working with the National Cyber and Crypto Agency, the Directorate General of Immigration and the Ministry of Law and Human Rights.
"The Ministry of Communications and Informatics requests that all digital platform providers and personal data managers further improve the security of users' personal data in accordance with applicable personal data protection provisions and ensure the security of the electronic systems being operated," Pangerapan said.
Aprianto said the data sample was posted by Bjorka, an infamous Indonesian hacktivist who gained notoriety in September 2022 for stealing the data of 1.3 billion SIM cards from the servers of the Indonesian Ministry of Communication and Information Technology and putting it up for sale on the dark web. The hacktivist is also suspected to be behind the theft of the personal information of 17 million customers of Indonesian electricity company PLN in August 2022.
Threat intelligence company Cyble said Indonesia is one of Southeast Asia's highest-targeted nations for cyberattacks. It experienced over 11 million attacks in the first quarter of 2022 alone.