Cermati, an Indonesian fintech aggregator, was the victim of a devastating data breach last week. This breach affected 2.9 million accounts, and reportedly leaked and sold private data on hacker forums. The event has legislators scurrying around for new data protection regulation, which would prevent future attacks.
Cermati facilitates applications for loans and credit cards, as well as bill payments on its platform. So logically, Cermati stores large amounts of customer data on its platform.
Confirmed by the local press, the data breach included a lot of important personal credentials. Names, addresses, email addresses, phone numbers, bank details, taxpayer registration details, national ID numbers, etc. we’re put up for sale on a hacker forum. This information was sold for $2,200.
Counteroffensive measures
Three days after the reported breach, Cermati reached out to its customers via email. The correspondence did not confirm the breach and sale of data but said that an unknown identity had gained access to the company’s data centre.
Cermati assured its customers that it had contacted the national emergency cybersecurity services, and was also contacting private cybersecurity experts to investigate and assess the damages. The email from Cermati also asked customers to enable 2-factor authentication (2FA) for their accounts.
Indonesia to adopt stricter data protection law
The Indonesian House of Representatives is scheduled to conclude it’s sessions on the issue of data protection in November. This is a delay from their original plan of concluding the discussion in October.
The new law has been assessed by the responsible ministry since 2014. It is touted as the “personal data protection bill”, and is inspired by the EU’S General Data Protection Regulation (GDPR).
The forthcoming legislation would enforce certain cybersecurity measures upon companies, which they would have to adhere to. This would raise the overall level of cybersecurity within the country, and reduce data breaches and cyberattacks.
“Without such a regulation, when customers become the victim of a data breach, they can only trust the platform to fix the issue. This is where the government must step in to pass the personal data protection bill,” said Communication and Information System Security Research Center (CISSReC) chairman Pratama Persadha.
