Indonesia hunts down Bjorka as analysts warn hacking spree could be ‘tip of the iceberg’
- Bjorka claims to be behind the hacking of spy documents, voter information and the data of 1.3 billion registered mobile phone users
- Indonesia is setting up a task force to address the data leaks, but critics say a lack of coordination means various agencies are passing the buck on investigating the issue
Amid public alarm over the data leaks, a senior official on Wednesday sought to reassure Indonesians that all state secrets remained safe.
“Until now, no state secret has been leaked. We will take it seriously and deal with this problem, but also the public must remain calm,” said coordinating minister for legal, political, and security affairs Mahfud MD. “[These data breaches] remind us to build sophisticated [cybersecurity] systems.”
Mahfud said the public could expect the House of Representatives to pass the long-awaited Personal Data Protection bill into law “within a month’s time”. The bill was introduced to parliament eight years ago.
Wahyudi Djafar, executive director with the Institute for Policy Research and Advocacy (Elsam), said the data breaches would be “the tip of the iceberg” if the country continued to lack a comprehensive legal framework on personal data protection.
“Everything these days is data-driven, all government and private parties today are competing to collect data on a large scale, but the protection scheme was not prepared from scratch,” he said.
“The special team formed by the president is actually more about coordination, because several institutions have already been given the authority [to probe a data breach], such as the Ministry of Communications and Information Technology, police, and National Cyber and Crypto Agency. But ... these agencies pointed at each other to carry the responsibility to investigate a data leak.”
Who is Bjorka?
Widodo’s files were not Bjorka’s first data harvest. Last month, the hacker, who claimed to be based in Warsaw, sold the data of more than 26 million customers of state-owned internet provider Indihome on hacking forum breached.to.
Last month, they claimed to have stolen the personal data of 1.3 billion registered Indonesian mobile phone users, making it one of the biggest data breaches to hit the country. They also leaked the personal data of 105 million voters from the General Election Commission.
All of these back-to-back data breaches include citizens’ identity cards and family cards, two important documents used often by the country’s 270 million population to obtain civil services.
In the past week, Bjorka also leaked data of high-ranking officials, such as those belonging to Luhut Pandjaitan, the coordinating minister for maritime and investment affairs; state-owned enterprises minister Erick Thohir; Johnny Plate, minister of communication and informatics; and Puan Maharani, speaker of the House.
Indonesia denies Chinese hackers breached intelligence agency’s servers
Bjorka, who has been suspended at least three times on Twitter, claimed their hacking was driven by the urge to change Indonesia “for the better”.
“The supreme leader in technology should be assigned to someone who understands, not a politician and not someone from the armed forces, because they are just stupid people,” the hacker said last week on their now-deleted Twitter account.
This was not the first time Bjorka challenged Jakarta in an expletive-laden public statement.
When Samuel Pangerapan, directorate general of informatics applications at the ministry of communications and informatics, pleaded with Bjorka to stop leaking citizens’ personal data, the hacker told him to “stop being an idiot”.
On a Twitter thread last week, Bjorka claimed they cared about Indonesia due to their association with an Indonesian exile in Poland, who fled the country in the aftermath of the CIA-backed anti-communist purge in 1965, which also targeted Chinese-Indonesians.
“I have a good Indonesian friend in Warsaw, and he told me a lot about how messed up Indonesia is. I did this for him. Don’t try to track him down from the foreign ministry, because you won’t find anything. He is no longer recognised by Indonesia as a citizen because of the 1965 policy, even though he is a very smart old man,” Bjorka, who is seemingly a huge fan of Icelandic eclectic singer Bjork, said on Twitter.
This motive has helped Bjorka gain a heap of Indonesian followers on social media, including on Telegram, where their channel now has more than 140,000 subscribers as of Wednesday.
Bjorka is also seen favourably by some Indonesian internet users due to their brazen, social justice commentaries about the country’s establishment.
“Hackers are typically driven by their fight against the establishment. Previously, Bjorka’s motive was economic, but now they have support from the Indonesian public, who told Bjorka that [victims] in some [criminal] cases don’t get their justice, so the public’s demand is connected with the intrinsic, rebellious attitude of the hackers,” said Ismail Fahmi, founder of social media analytics and private consultancy firm Media Kernels.
It remains unknown whether Bjorka is an Indonesian or foreigner, as well as their actual whereabouts. Mahfud on Wednesday said police and the intelligence agency had detected Bjorka’s identity, but “we can’t reveal it to the public now”.
Bjorka did not respond to This Week in Asia’s repeated requests for comments.
Data protection bill
Whatever their motives are, the media sensation brought by Bjorka and their hacking has helped spur Jakarta to pass the Personal Data Protection bill into law.
The law, drawn up to mirror the European Union’s General Data Protection Regulation, contains comprehensive rules on personal information collection and storage, as well as accountability measures that public or private organisations need to take in case of any breaches.
Under the current draft, a new data protection oversight agency will be established, pending agreement between lawmakers and the government on its structure. The president will design and control the agency, while its role will be dictated by lawmakers to ensure its independence.
Web-connected devices may have to meet new EU cybersecurity rules
“A new concern arises that this law will not be applied effectively because the authority [of the data protection agency] is fully delegated to the president. We need to learn from countries like Singapore, the United States, and Estonia that the data protection agency must be fully independent,” Wahyudi Djafar of Elsam said.
The country is still lacking a cybersecurity-focused law, which can complement the data protection law and help “ensure that massive data breaches will not happen again in the future”, he said.
Under the incoming law, data operators could face up to five years in jail and a maximum fine of 5 billion rupiah (US$337,000) for leaking or misusing private information, and users will have the right to withdraw their consent and receive compensation from data operators in case of breaches.
Additional reporting by Bloomberg
