Failures in Saving Lives and Protecting Citizen’s Personal Data

Failures in Saving Lives and Protecting Citizen’s Personal Data


After reports of COVID-19 patients’ data being sold, now allegedly there are data leaks of the data from eHAC and even the President’s own vaccine certificate. To be frank, how far our data security goes?


(Translation for points inside the graph)

  • 29 March 2020 > Thousands of data belonged to people who received the 2020 Covid-19 social aid in Tegal City were made available by the local government (Pemda).
  • 20 May 2020 > Database that contained 230.000 Covid-19 patients’ data were breached and traded on internet forums.
  • 15 July 2020 > Thousands of data belonged to people who received the 2020 Covid-19 social aid in Southern Tangerang City were made available by the local government (Pemda).
  • 16 September 2020 > 279 million data of Social Health Insurance Administration Body (BPJS) members (including the ones who already passed away) were being traded in hackers’ online forums.
  • 12 May 2021> Thousands of data belonged to those who received the 10th stage of Micro Business Productive Assistance (BPUM) were opened by local governments in 2020.
  • 7 June 2021 > 8.797.669 data from citizens who lived in 4 districts were hacked.
  • 15 July 2021> Ministry of Health’s application, eHAC had their users’ data left without protection.

the Reoccurrence of Events

This is not the first the government has failed to protect their own citizens personal data. In May 2020, the government was distraught with the cases of leakage of Covid-19 patients’ data that were being sold on the internet. This time data from the eHAC, an application specialized for testing and tracing for Covid-19 is reportedly to be leaked. Repeated data leaks have signaled that the government is yet to ensure security of each citizen’s identity and their own digitalized personal data seriously. Although the digitalization process has been done and dusted, there are still incidents that have showed the digital infrastructures are not fully prepared yet.

Patient Covid-19 Data were traded in May 2020.

About 230.000 database of Covid-19 patients in Indonesian are reportedly known to be traded on internet forums such as Raid Forum in May 2020. A portion of those data are personal data and data referred to the patients’ condition.

Personal Data of Social Aid Receivers are Openly Accessible

Instead of providing transparency in social aid management, several local governments provided open access for personal private information of its citizen who received social aid for those who were affected by Covid-19 instead. Such data are varied from full name, citizenship registry number (NIK), address, phone number and so on; these data were supposed to be protected and secured. The accessibility of these personal information is surely susceptible to ill-intents and abuse.

  • Thousands of data of those who received Stage 10 of BPIM in West Kalimantan in 2020
  • Data of those who received Covid-19 Social Aid in Southern Tangerang City in 2020
  • Data of Arrangement for Covid-19 Social Aid distribution of citizens in Tegal City in 2020.

Unsecured server led to 8.797.669 citizens’ data being hacked

This is not the first flaw in the government’s electronic system. Ministry of Home Affairs (KEMENDAGRI) acknowledged that four serves belonged to the Office of Population and Registry in Megelang District, Subang District, Kota Bogor, and Bekasi District were hacked. In the aftermath, data belonged to the citizens who live in those areas to be leaked. This gives a sign that the government’s infrastructure for digital security is feeble and prone to hackers.

279 million Data of Social Health Insurance Administration Body (BPJS) were Leaked

A year after Covid-19 patients’ data were leaked, we were shocked by the alleged data leak of 279 million Indonesian citizens. In which the data that were leaked included full name, identity card (KTP), phone numbers, emails, identity registration number (NID), home address from Social Health Insurance Administration Body (BPJS). Our data were sold in the same forum for worth up to hundreds of millions of rupiah.

Ministry of Health’s application, eHAC users’ data were left without protection

Security Research Team from vpnMentor exposed the fragility the data of those who use the eHAC application. This data leak did not only affect its users, but it also exposed the whole infrastructures surrounding the eHAC application itself. In which, it included private notes from hospitals and Indonesian government officials who also used that application. Before this the citizens were highly encouraged to use the government-owned application although there’s barely any explanations or guarantee for its security at all.

Contradictory Logic

  • Citizens’ data are supposed to be protected and secure, are in fact being left available without security measures.
  • Data for testing in each district or city are supposed to be made available to the public for the purpose of epidemiologic purposes are not accessible instead.
  • Data for vaccines budget management and budget absorption, medical devices and equipment procurement and economy recovery are being covered up instead.
  • Data regarding Post Immunization Adverse Events (KIPI) are supposed to be announced, on the contrary, those data were not conveyed to the public.


Government’s Responsibilities 

Unfortunately, these data leakages may keep on reoccurring as long as the data management are not carefully managed, and data security aspect is overlooked. The government can not be absent when it comes to the security of their citizens’ personal data. Leaking personal data to the public comes with the consequences of triggering criminal activities that may become threats towards people’s safety and security. This also includes discriminations towards people with diseases that are considered taboo by the masses.

Therefore, LaporCovid-19 urges the government to:

  1. Ensure the preparedness of digital infrastructures measurements that are safe and secured.
  2. Ensure that personal data of every citizen is safe from any digital crimes.
  3. Open a public access to transparent data surveillance.
  4. Make it accessible for people to see the data for Covid-19 emergency budget and budget absorptions from vaccines, medical equipment, and devices as well as other economic recovery measures.