Depok, August 3rd, 2023. Not long ago, news emerged about the leak of population data being sold on a hacker forum site. The leaked data includes name, date of birth, National Identity Number (NIK), Family Card (KK) number, address, father’s name, mother’s name, father’s NIK, mother’s NIK, birth/marriage certificate number, and others. This news was quite disturbing to society.
Computer forensics and security expert, Faculty of Computer Science (Fasilkom) Universitas Indonesia (UI) Ir. Setiadi Yazid, M.Sc., Ph.D., said that data leakage is the reading of data by outsiders who should not have the right. This can happen because of an attacker who managed to copy the data illegally. Attackers, who are also known as hackers, take advantage of gaps or weaknesses in the network or what are commonly called vulnerabilities.
Due to the vulnerability factor, Setiadi said that an attacker could read the data without the data manager’s permission. In addition to technical vulnerabilities, there are also other human weaknesses that hackers can take advantage of, namely through social engineering, where without realizing it, the management staff will allow hackers to copy data that should be kept confidential.
Apart from all the loopholes above, Setiadi said there were still carelessness caused by human error, such as recording passwords in an open place, or sharing passwords with friends, which could also be the start of a data leak. He further conveyed that basically every man-made system, including software, has weaknesses.
It has become a worldwide agreement that any weaknesses found will be announced to the wider community. This list of vulnerabilities is stored in a Vulnerability Database (VDB) that everyone can read. This list also includes how to fix it according to the suggestions from the software maker. Therefore, the system manager should always monitor the VDB, so that appropriate action can be taken to overcome it, before the weakness is exploited by hackers.
“What needs to be realized is this computer system, especially the software, tends to be more sophisticated and complicated, which makes securing it is not easy. After all, the effort and funds spent on security will not immediately return as profits. Therefore, public data managers need to be prepared to spend extra funds and efforts for this security. It is because even though it doesn’t immediately increase profits, in the long term the impact of not putting in effort to ensure data security can be very detrimental. In addition, at the national level, this will also have an impact on the country’s economy. If other countries see that data leaks often occur in Indonesia, then they will think twice before investing in Indonesia,” said Setiadi who is also the Chair of the Center for Cyber Security and Cryptography (CCSC) UI.
Meanwhile, Setiadi also revealed that there are various motives for someone to hack, ranging from political to economic motives. He added, generally hacking is done for economic reasons because the data obtained can be used to take assets from the data owner.
“The data obtained can be used to enter the bank’s system. When the system has been penetrated, all parties, especially customers, are threatened because their authentication is known. This data for authentication is traded. The more important the information, the higher the price the data can be sold for,” said Setiadi. Apart from economic and political motives, Setiadi said there were also those who did it with the aim of gaining status among hackers, that the perpetrator was a great hacker.
With the alleged data leak occurring from a government agency, Setiadi said that at the very least, the government needs to provide direction on how people can keep their assets that are stored in banks safe even though their personal data has been disclosed. The government also, he said, must improve the system because in the last four years there have been more than 80 occurrences of data leaks. “In the last year alone, there have been nine times, all of which have happened and have been dismissed with the statement that the leaked data is not the same as the stored data. Even the public can’t do much, most likely because there is still a lack of awareness about the impact of this data leak,” said Setiadi.
Seeing this situation, Setiadi advised the public as data owners to start using multiple authorizations or tricking verification questions with more personal answers and changing passwords regularly. In addition, the public must also be prepared to face the worst scenario when their personal data is leaked. For example, which bank accounts must be closed immediately, and other methods according to existing banking procedures. Meanwhile, for banks and the government, it may be necessary to change the questions in the verification procedure to become more personal and varied questions so that the possibility of being penetrated is smaller.
