A hacker that goes with the name Database Shopping was said to have breached a government database that stores information about 'COVID-19' coronavirus test-takers in Indonesia.
The database that contained at least 230,000 people included personal details such as the names, sex, addresses, ages and nationalities of the people who took COVID-19 testings at several hospitals in Bali.
The data also showed which kind of tests each individual took, the date the tests were taken, the results for each individual, the symptoms the test-takers were having, and some other data that also include things related to COVID-19 tracing.
The database was then put up for sale for $300 at the data-exchange platform RaidForums.
At that same forum, there is also another member who has put up for sale the personal information of 15 million users from homegrown e-commerce unicorn Tokopedia’s database for $5,000.
“Indonesia COVID-19 database, 230k [worth of data in the] MySQL [database]. Leak date: May 20, 2020. I sell it to the enthusiast,” user Database Shopping said in his post.
During an interview with the local news agency Kompas through email, the seller claimed that he also managed to breach the database of people participating in COVID-19 testings from other regions in Indonesia, including Jakarta and Bandung in West Java.
Responding to the alleged data breach, national COVID-19 task force spokesperson Achmad Yurianto that didn't disclose much details, said that he would “leave it to the authority.”
"This issue has been handed over to the Communication and Information Ministry and the National Police's criminal investigation department," he said.
According to Minister Indonesia's Minister of Communication and Information Technology Johnny G Plate. the COVID-19 database and the results of the examinations at the ministry's data center "are safe."
However, he pointed out that he would investigate the alleged hack, and said that the Ministry and the National Cyber and Encryption Agency were already following up on information about the data breach.
The Ministry will also be assessing other data centers in other Ministries and government institutions to ensure they have not been hacked, said Johnny.
One cybersecurity expert was quoted as saying that based on what was posted, it appeared that the data didn't come from hospitals but from the database server.
"The bad news is that the server of the main database has weaknesses and could be hacked," said Alfons Tanujaya. "We must believe what the Communication and Information Minister said, but we cannot deny the data is there in the RaidForums."
Separately, National Cyber and Encryption Agency (BSSN) spokesman Anton Setiyawan said that BSSN has coordinated with the Health Ministry and the (COVID-19) Task Force to ensure there was no illegal access (to the database) resulting in the data leakage in the electronic system and active information assets of the COVID-19 pandemic management.
According to Pratama Dahlian Persadha, Indonesia's Communication and Information System Security Research Center (CISSReC), this kind of leak can be risky to those affected because the data contains their physical addresses and their conditions regarding the virus.
He said that amid the pandemic, hackers not only seek financial details of people, but also other kinds of information, including patients of coronavirus.
Data breach cases are on the rise in Indonesia.
Previously, a database claimed to consist data from final voter lists at the 2014 Indonesia Presidential Election was also leaked.
This COVID-19 test-takers data leak has again raised concerns about the need of a law to protect citizens' privacy. Parliament has put the Personal Data Protection Bill on its priority list for this 2020, but it has yet to be passed.