After the alleged leak of personal data of more than 200 million Indonesians, the Communications and Information Ministry has ordered internet service providers to block access to data sharing site Raid Forums. Hackers have used the site to sell information in multiple cases, including those involving e-commerce platforms Tokopedia and Bukalapak.

“Raid Forums has been identified as a forum that shares content that violates laws in Indonesia. The website, including an account named ‘Kotz,’ is in the process of being blocked,” said ministry spokesperson Dedy Permadi in a statement on Saturday.

Additionally, download links to data files hosted on bayfiles.com, mega.nz, and anonfiles.com have all been disabled. Along with the National Cyber and Encryption Agency, the ministry also ran a random check on 1 million data samples that were included in the leak and concluded that they “need to investigate further.”

It is presumed that the dataset was stolen from the Health Care and Social Security Agency (BPJS Kesehatan), which runs the nation’s health insurance program. The samples contain unique data such as BPJS card numbers and insurance payment status. The ministry contacted BPJS Kesehatan’s board of directors on Friday, urging them to conduct an internal investigation and formulate a plan to prevent future breaches.

The authorities have yet to determine the origin of the leak. BPJS runs 14 mobile apps for its stakeholders that include policyholders, medical facilities, and administrators.

Victims are still at risk

The BPJS leak may be the largest data breach against a governmental institution in Indonesia, but it is not the first. In May last year, Indonesian voters’ names, home addresses, and national identification numbers from voter lists of the 2014 national elections were leaked online, according to the General Election Commission.

Local tech companies have been vulnerable too. E-commerce platforms Tokopedia and Bukalapak, along with fintech aggregator Cermati, were reportedly the targets of successful hacks. In those cases, the stolen information was sold on Raid Forums.

Ruby Alamsyah, co-founder and CEO of cybersecurity consultancy Digital Forensic Indonesia, told KrASIA that blocking the site is ineffective and will not prevent data from being sold or circulated. The block can be bypassed with software like VPNs, he said.

Alamsyah added that the leak, which includes sensitive and unique information, has put many Indonesians at risk. The threat of identity theft is on the minds of many people who worry about fraudulent credit card applications or loans on illegal lending platforms. As the leak includes e-mail addresses and phone numbers, Indonesians may encounter elevated threats involving malware and phishing links.

“Online scams use social engineering techniques. Victims tend to be easily fooled as scammers already know their personal information,” Alamsyah said. “People must be very careful and increase their awareness of potential fraud.”

Unfortunately, victims of the leak have few options for recourse as Indonesia does not have laws allowing citizens to sue companies or institutions for damages when their personal data is compromised. The government and parliament agreed to add a clause on violations in the handling of personal information—which would include leaks—in its data protection bill. Despite their intention to pass the bill into law in early 2021, legislators have been moving slowly, giving the impression that data protection is not a priority in the country.