After reports of COVID-19 patients’ data being sold, now allegedly, there are data leaks of the data from eHAC and even the President’s vaccine certificate. How far our data security goes?
Following points are translation for points inside the graph)
This is not the first the government has failed to protect its citizen’s data. In May 2020, the government was troubled with the leakage of Covid-19 patient data that was being sold on the internet. This time data from the eHAC, an application specialized for testing and tracing for Covid-19, is reported to be leaked. Repeated data leaks have signalled that the government has yet to seriously ensure the security of each citizen’s identity and their own digitalized personal data. Although the digitalization process has been done and dusted, there are still incidents that have shown that digital infrastructures are not fully prepared yet.
About 230.000 databases of Covid-19 patients in Indonesia are reportedly known to be traded on internet forums such as Raid Forum in May 2020. Some of those data are personal data and data referred to the patient’s condition.
Instead of providing transparency in social aid management, several local governments offered open access to the personal private information of its citizen who received social aid for those who were affected by Covid-19 instead. Such data varied from full name, citizenship registry number (NIK), address, phone number and so on; these data were supposed to be protected and secured. The accessibility of this personal information is undoubtedly susceptible to ill-intents and abuse.
This is not the first flaw in the government’s electronic system. Ministry of Home Affairs (KEMENDAGRI) acknowledged that four serves belonging to the Office of Population and Registry in Magelang District, Subang District, Kota Bogor, and Bekasi District were hacked. In the aftermath, data belonged to the citizens who lived in those areas to be leaked. This gives a sign that the government’s infrastructure for digital security is feeble and prone to hackers.
A year after Covid-19 patients’ data were leaked, we were shocked by the alleged data leak of 279 million Indonesian citizens. In which the data that were revealed included full name, identity card (KTP), phone numbers, emails, identity registration number (NID), and home address from Social Health Insurance Administration Body (BPJS). Our data were sold in the same forum for worth up to hundreds of millions of rupiah.
Security Research Team from vpnMentor exposed the fragility of the data of those who use the eHAC application. This data leak affected its users and revealed the whole infrastructure surrounding the eHAC application itself, including private notes from hospitals and Indonesian government officials who also used that application. Before this, the citizens were highly encouraged to use the government-owned application, although there were barely any explanations or guarantees for its security.
Unfortunately, these data leakages may keep reoccurring as long as the data management is not carefully managed and the data security aspect is overlooked. The government can not be absent regarding the security of their citizen’s data. Leaking personal data to the public comes with the consequences of triggering criminal activities that may threaten people’s safety and security. This also includes discrimination toward people with diseases considered taboo by the masses.