Suspected Leak of Personal Information of 4.75 Million Indonesian Civil Servants Sold for US$10,000 on Black Market

On August 11, 2024, the suspected leakage of personal information of 4,759,218 civil servants and public sector employees (PPPK) across all Indonesian provinces triggered social uproar. These personal data originated from a database administered by the State Civil Service Agency (BKN). It is alleged that the data was being sold for US$10,000 (approximately IDR 159 million) on the hacker forum Breachforums.

On Sunday (August 11), Acting Head of the Bureau of Public Relations, Law, and Cooperation of BKN, Vino Dita Tama, informed the media that an investigation into the suspected data leak was underway. However, he declined to elaborate further on the details of the investigation or its impact on various departments and agencies. It remains uncertain whether this will affect the upcoming national civil service recruitment process through the selection of candidate civil servants.

The suspected leak was first reported by the cybersecurity platform FalconFeeds on social media platform X (formerly Twitter). It was claimed that a criminal had boasted about selling a database containing personal information of 4.7 million civil servants and PPPK.

Furthermore, the Cyber Intelligence Security Studies and Research Center (CISSReC), a cybersecurity research institution, also confirmed that the data was being sold for US$10,000 on Breachforums. Chairman of CISSReC, Pratama Pesada, stated, "This discovery started on August 10 with a post by an anonymous hacker, TopiAx, on Breachforums." In the post, the hacker claimed to have obtained 4,759,218 rows of data from BKN, encompassing extensive information such as names, places of birth, dates of birth, degrees, dates of candidacy and appointment as civil servants, employee ID numbers, candidate and civil servant certificate numbers. Other data included ranks, positions, institutions, addresses, identity card numbers, mobile phone numbers, emails, education, majors, and graduation years. In addition to these, there were numerous other pieces of information, both in plaintext (unencrypted storage or transmission) and encrypted texts.

Pratama added that the hacker offered all this data for US$10,000 on the hacker trading forum. The hacker allegedly shared a sample data set containing 128 civil servants from various agencies in Aceh. Regarding this matter, CISSReC randomly verified the identities of 13 civil servants listed in the sample data via WhatsApp. "According to them, the data is accurate, though some have reported discrepancies in the last digit of their employee ID and identity card numbers," he said. Amid the upcoming 79th anniversary of Indonesia's Independence Day, the Indonesian government's data has been repeatedly targeted by attacks.

In June this year, Indonesia's Provisional National Data Center (PDNS) was also disrupted by a ransomware attack, with criminals allegedly demanding a ransom of up to IDR 131 billion.