Dukcapil Data Leaked: July 16, 2023 – Cybersecurity Consultant Teguh Aprianto, known on Twitter as @secgron, first brought to public attention the alarming data leak from the Indonesian Directorate General of Population and Civil Registration (Dukcapil). His tweet revealed that a staggering 337 million (337.225.463) records were compromised and subsequently traded on the Breach Forums by the hacker with the moniker “RRR.”

Kali ini yang bocor adalah data kita semua di Dukcapil sebanyak 337 juta data.

Data yg dipastikan bocor adalah nama, NIK, No KK, tgl lahir, alamat, nama ayah, nama ibu, NIK ayah, NIK ibu, No akta lahir/nikah dll.

Untuk @DukcapilKDN, yuk segera disiapkan template bantahannya 💩 pic.twitter.com/f1EOVEBppy

— Teguh Aprianto (@secgron) July 16, 2023

Teguh Aprianto’s expertise in the cybersecurity domain made him a key figure in disseminating this critical information. The leaked data contained sensitive details, including names, National Identification Numbers (NIK), Family Card Numbers (No KK), dates of birth, addresses, names of parents, NIK of parents, birth/marriage certificate numbers, blood types, religion, and marital status.

A Serious Cybersecurity Concern

According to bbc.com, Cybersecurity experts, including Alfons Tanujaya, have labeled this breach as “extremely severe” due to the inclusion of full maternal names, which are commonly used for banking security verification. Alfons urges the Ministry of Home Affairs (Kemendagri) and the State Cyber and Cryptography Agency (BSSN) to launch a joint investigation to uncover the cause of the leak. He also warns that if negligence or individual involvement is discovered, criminal charges under the Personal Data Protection Act could be pursued.

Denials from Dukcapil and Concerns from Expert

Responding to the situation, the Director-General of Dukcapil Kemendagri, Teguh Setyabudi, claimed that no traces of data leakage have been found in the Centralized Population Administration Information System (SIAK) operated by Dukcapil Kemendagri. However, experts Alfons Tanujaya, suggest that the leaked data, consisting of 69 columns with 28 containing vital personal information, may have been directly copied from the dukcapil.kemendagri.go.id server without any encryption.

The Contents of the Breach

From the leaked sample data, it has been confirmed that the compromised information includes NIK, full names, dates of birth, birth certificate numbers, blood types, religion, and marital status. More sensitive data, such as marriage and divorce certificate numbers, dates, and even physical disabilities, were also exposed. The breach further includes details about educational backgrounds, occupations, NIK of parents, full names of parents, and even the names of the officers who inputted the data.

The Elusive Hacker “RRR”

The hacker “RRR” has a notorious reputation and has offered various data sets from Indonesia and other countries. These include 1.3 trillion telephone SIM card registration data, 34 million Indonesian passport data, 6.9 million visa data, 272 million Social Security Administrating Body (BPJS) data, and 186 million data from the General Election Commission (KPU). Additionally, “RRR” has targeted foreign data, including 15 million Japanese corporate data, 108 million Iranian Telecom data, 2.8 million Lebanese population data, 28.6 million Taiwanese worker data, 23.5 million Taiwanese citizen data, 30 million Thai citizen data, and 789 million Indian voter data. Notably, the hacker has also put up 10 million data from a Jordanian telecom operator and 51 million data from Facebook users in Vietnam and Japan.

The scale and severity of this data breach highlight the urgent need for improved cybersecurity measures, both in Indonesia and globally, to protect the sensitive personal information of individuals and prevent such attacks in the future. Authorities and organizations must work together to address the breach, hold perpetrators accountable, and enhance data protection protocols to safeguard citizens’ privacy and security.