Heboh! Kebocoran Data Pengguna Tokopedia

CNBC Indonesia

5 May 202008:58

Summary

TLDRIn the wake of the Tokopedia data breach, hackers successfully stole 91 million user accounts, selling personal information like emails, names, and phone numbers. Though financial data remained secure, this leak highlighted the dangers of profiling, phishing, and other schemes. The case, part of a wider trend of data leaks in Indonesia, calls attention to the lack of stringent data protection laws. With the Personal Data Protection Law still pending, users are urged to enhance security with practices like two-step verification and complex passwords to protect their accounts from future breaches.

Takeaways

💻 In March 2020, Tokopedia experienced a data breach where hackers stole 91 million user accounts, including personal information such as names, emails, phone numbers, and dates of birth.
🔒 Financial information, passwords, and banking details were not compromised and remained secure.
📰 The data breach was publicly revealed by the Twitter account '@UnderTheBridge', a service monitoring data leaks.
💰 Hackers sold the stolen data on the dark web for approximately $5,000 (around 75 million IDR).
🛡 Tokopedia confirmed the breach and reassured users that their transactions and payment information, including debit, credit, and e-wallets like Ovo, were safe.
🔑 Tokopedia uses OTP (one-time password) verification for added account security during logins.
⚖ Current Indonesian laws (ITE Law and Government Regulation 71/2019) provide only administrative sanctions for data breaches; the pending Personal Data Protection (PDP) law will allow fines similar to international standards.
🌐 Other Indonesian tech companies have also faced data breaches, including Bukalapak (2019, 13 million accounts) and Gojek (2016, security gap exposure).
📱 Users are advised to take security measures such as enabling 2-step verification, performing smartphone security checkups, checking website security indicators, and downloading apps only from official sources.
🔐 Users should use complex passwords and change them regularly to maintain account and personal data security.
⚠ Personal data leaks, even without financial information, can lead to risks like profiling, scams, and identity misuse.
🌍 Comparing internationally, companies like Facebook faced fines in the US and UK for data misuse, highlighting the need for stronger data protection laws in Indonesia.

Q & A

What was the scale of the Tokopedia data breach, and how many user accounts were affected?
-The Tokopedia data breach involved the theft of 91 million user accounts. This data, including personal details such as names, emails, phone numbers, and more, was stolen by hackers and sold illegally on the dark web.
How did the hackers manage to sell the stolen Tokopedia data?
-The hackers, operating under the account 'Uwais Odeng', offered 15 million Tokopedia user account details on the Ride forums forum. After gaining access to the data, they sold it for 5,000 US dollars (approximately 75 million rupiah) through the Empire market on the black market.
What type of user data was compromised in the Tokopedia breach?
-The stolen data included user IDs, emails, full names, dates of birth, genders, cellphone numbers, and encoded passwords. However, sensitive financial information, such as banking accounts and passwords, was not successfully compromised.
What steps has Tokopedia taken to address the breach and secure user data?
-Tokopedia confirmed that there was an attempt to steal user data, but key financial information such as banking and password data remained secure. They also emphasized the implementation of an OTP (One-Time Password) system for transaction verification to enhance security.
What is the main risk associated with the stolen personal data from Tokopedia?
-The primary risk is that the stolen personal data, such as emails, phone numbers, and dates of birth, can be used for malicious purposes, such as profiling, scheming, and targeted phishing attacks.
Why can't Indonesia impose fines for the Tokopedia data breach under the current legal framework?
-Under Indonesia’s current legal framework, specifically the ITE Law and Government Regulation No. 71/2019, sanctions for data breaches are still largely administrative, meaning they only involve public announcements or platform blocks. There is no provision for significant fines, unlike in regions like Europe or the U.S.
How does the situation in Indonesia differ from other countries like the U.S. and the UK regarding data breach fines?
-In the U.S. and the UK, companies can face substantial fines for data breaches, as seen in Facebook’s case, where they were fined billions of dollars. Indonesia, however, lacks a robust personal data protection law, which hampers the ability to impose such fines.
What steps can users take to protect their accounts from hackers?
-Users can enhance their account security by enabling security checkups on their devices, ensuring the websites they visit are secure (indicated by a closed padlock icon), using two-step verification, downloading apps only from official sources, and regularly changing their passwords.
What is the role of the Personal Data Protection (PDP) Law in preventing data breaches in Indonesia?
-The Personal Data Protection Law (PDP) aims to provide a legal framework for protecting personal data in Indonesia. If implemented, it would allow the government to impose fines on companies for negligence in handling data breaches. However, the PDP Law is still under development, delayed by the pandemic.
How does Tokopedia's IT system ensure the security of transactions despite the data breach?
-Tokopedia's IT system is designed to protect financial transactions through mechanisms like OTP (One-Time Password) verification. This means that even if personal data was compromised, the security of transactions involving debit or credit cards and other payment methods remains intact.