Questions about a new Indonesian data protection law’s full implementation loom large in the aftermath of the notorious “#Bjorka” hacker case. Photo: Shutterstock
Asian Angle
by Yanuar Nugroho
Asian Angle
by Yanuar Nugroho

Indonesia’s #Bjorka embarrassment exposed its devastatingly weak cybersecurity – but a new data protection law may help

  • A long-awaited data protection law passed earlier this month could pave the way for Indonesia to enjoy all that embracing a digital economy promises
  • But only if it’s implemented correctly. The Bjorka hacking case showed the government needs to better prepare itself to protect its citizens
In a long overdue development, Indonesia’s House of Representatives passed the much-anticipated Personal Data Protection (PDP) bill into law on September 20. Its ratification will essentially support the government in realising its national strategy for digital transformation.

Overall, Indonesia’s government seems to be optimistic about the PDP law. Communication and Information Technology Minister Johnny G. Plate claimed that Indonesia was the fifth Asean country to have PDP regulations and said he believes the law embodies the government’s protection of Indonesian citizens’ private data.

If successfully implemented, the law will provide a future-oriented regulatory framework and possibly stimulate reform in data governance for the government and non-government organisations.


Fuel prices infuriate Indonesians amid cost of living crisis

Fuel prices infuriate Indonesians amid cost of living crisis

It also closes the lacuna in Indonesia’s governance framework for the protection of citizens’ personal information and data, a lack that the government acknowledged years ago.

However, not all commentators are optimistic. The implementation of the new PDP law already faces some serious challenges. First, it stipulates the need for “implementing regulations” to be harmonised across government, from the executive (presidential) to ministerial level.

All of these supporting regulations need to be formulated inclusively. Second, what form the implementing agency will take as the highest PDP authority that reports directly to the president is still unclear. Many alternatives are being suggested and this authority could take at least a year to be established. The implementation of a comprehensive PDP framework will inevitably entail more complex debates.

Indonesia passes long-awaited data protection bill after string of leaks

Looking at Indonesia’s legislative experience, worries about delays in the implementation of important laws are not baseless. The National System for Science and Innovation Law No. 11 of 2019 (UU Sisnas Iptek), for instance, was ratified in mid-2019 to mandate the formation of an independent Research and Innovation Agency, which is still not fully operational.

The National Capital Law No. 3 of 2022 (UU Ibukota Negara, or the IKN Law) was extremely rushed – taking only 42 days from the first reading in parliament to its passage. Its implementing regulations were quickly prepared and the IKN authority’s structure is incomplete, even now.

The IKN authority’s current head and his deputy are working without assistants or other organisational support. This has led to uncertainty over whether the targets for the new capital city’s development can be achieved and if the government is serious about fully moving out of Jakarta.

Questions about the PDP law’s full implementation loom large in the aftermath of the notorious “#Bjorka” hacker case – with its outrageous leaks of troves of personal information – which has preoccupied Indonesians over the past month. Some observers question whether that case accelerated the ratification of the PDP law, given the huge embarrassment it caused for the Indonesian government.
Millions of Indonesians’ private data was allegedly leaked and sold on the dark web by the #Bjorka hacker or groups of hackers. Photo: Shutterstock

An audacious hacker or group called “Bjorka”, formerly @bjorkanism on Twitter, serially published sensitive personal data and doxxed several Indonesian public figures. From August 20 to the second week of September, Bjorka allegedly leaked and sold on the dark web the private data of millions of Indonesian citizens, supposedly taken from the databases of private companies, state-owned enterprises, and even state agencies and ministries.

Even private data such as the Covid-19 vaccination statuses of prominent politicians was leaked including Minister Plate, whose job scope ironically covers the prevention of such hacks, and his fellow ministers Erick Thohir (state-owned enterprises), Luhut Pandjaitan (coordinating minister of maritime affairs and investment), and parliament speaker Puan Maharani.

More seriously, Bjorka publicly accused general Muchdi, the retired former head of Kopassus (special forces) and a state intelligence officer, of the murder of human rights defender Munir. Munir’s case made headlines in 2006 when a different individual was charged but then acquitted of his September 2004 murder. Separately, Bjorka has leaked data belonging to Minister of Home Affairs Tito Karnavian and accused him of being involved in the recent high-profile murder of a police general’s aide in the “Sambo case”.

What Bjorka did has certainly angered public officials. Head of the Presidential Secretariat Heru Budi Hartono threatened to arrest the hacker for violating the Electronic Information and Transaction Law. President Joko Widodo formed a special team to respond to Bjorka’s “attack”, a move that sparked mixed reactions. Critics feel Widodo is trying to address new problems – threats in the digital world – by using old or outdated approaches such as coercive power. They argue that instead of prioritising the “hunting” of Bjorka, the first thing the government must do is to improve its cyber and digital governance and then ensure protections are in place for citizens’ private data and government data. The hunt for Bjorka has only embarrassed the administration: the wrong person, an individual from Madiun, East Java, whose initials are MAH, was arrested in mid-September. Other suspects were identified but to no avail.

‘Democracy at risk’: Indonesia row over controversial criminal code heats up

Bjorka must be held accountable but the government also needs to be responsible for Indonesia’s devastatingly weak cybersecurity regulations and digital capacity. The Bjorka case sends a message loud and clear: Indonesia’s capacity in cyber governance must be improved if it is to enjoy the promise of fully embracing the digital economy while dealing with the associated challenges and risks.

The #Bjorka case is merely a wake-up call. Governing in the digital era, Indonesia’s government should prepare itself and protect its citizens by sharpening the saw that is the PDP law. Only bad workers blame their tools.

Dr Yanuar Nugroho is a Visiting Senior Fellow at the ISEAS – Yusof Ishak Institute. He was the former Deputy Chief of Staff to the President of Indonesia 2015-2019.

This article was originally published as ‘The #Bjorka Case and Ratification of Indonesia’s PDP Law: Confronting Digitalisation’ on ISEAS – Yusof Ishak Institute’s commentary site,