Kemenkes Buka Suara Soal Kebocoran Data 1,3 Juta Pengguna Aplikasi eHAC

KOMPASTV

1 Sept 202109:04

Summary

TLDRA major data breach involving Indonesia's COVID-19 tracking app has exposed the personal information of 1.3 million users, including sensitive health and travel data. Experts criticize the country's weak data security systems and legal frameworks, urging the government to learn from past breaches. The breach, which was discovered in July 2023, was caused by vulnerabilities in the app's system, and while steps were taken to mitigate it, experts warn that many more data vulnerabilities could exist. Calls for stronger cybersecurity practices and a public apology from the Ministry of Health are growing.

Takeaways

😀 A data breach occurred in Indonesia's COVID-19 tracking app (Ihex), exposing the personal information of 1.3 million users.
😀 The breach involved sensitive data such as COVID-19 test results, identification cards, passports, and hospital details.
😀 The vulnerability was found in an older version of the Ihex app, which had weak security, not in the current integrated system.
😀 The breach was first reported in July 2025 by BBM Mentor, but authorities only took action in late August after escalation.
😀 The exposed data included detailed information from 226 hospitals and clinics in Indonesia, including doctor names and test results.
😀 Personal details of users, such as phone numbers, KTP or passport numbers, and travel details, were also leaked.
😀 Experts and lawmakers have criticized the government's cybersecurity infrastructure, highlighting its weaknesses in protecting citizen data.
😀 Cybersecurity expert Pratama Persada warned that the leak could be exploited by malicious parties for identity theft and fraud.
😀 The Ministry of Health took action by notifying relevant parties and addressing the security flaw, but the leaked data cannot be retracted.
😀 The incident underscores the need for stronger cybersecurity laws, better infrastructure, and proactive measures to safeguard data in Indonesia.

Q & A

What is the main subject of the video transcript?
-The video discusses a data breach related to an Indonesian health tracking app, which exposed sensitive personal data of over 1.2 million users, including COVID-19 test results and personal details.
Which application was affected by the data breach?
-The breach occurred in an electronic health application used for COVID-19 testing and tracking, which was required for travelers entering Indonesia or traveling domestically.
What types of personal information were exposed in the breach?
-Exposed data included COVID-19 test results, identity card numbers, passport details, phone numbers, hotel details, and medical records from over 200 hospitals and clinics across Indonesia.
When was the breach first reported and what was the initial response?
-The breach was first reported in July 2023 by a cybersecurity group, but the initial response from relevant authorities was delayed, which allowed further exposure of sensitive data.
What was the role of the Indonesian Ministry of Health (Kemenkes) in this incident?
-Kemenkes was involved in verifying the data leak, working with cybersecurity agencies to confirm the breach, and addressing the vulnerabilities in the system once they were notified.
How did the cybersecurity community become aware of the breach?
-A cybersecurity group identified the vulnerability and initially reported it to relevant authorities in July 2023. After receiving no response, the issue was escalated and reported to Indonesia's National Cyber and Encryption Agency (BSSN).
What security flaws were highlighted by this incident?
-The incident exposed weaknesses in the cybersecurity infrastructure of Indonesia, particularly in the systems used to store and manage sensitive health data. It also revealed a lack of a robust legal framework for data protection.
How many users were affected by the data breach?
-Over 1.2 million users were affected by the data breach, which exposed sensitive personal and health information.
What actions were taken to address the breach after it was discovered?
-After the breach was confirmed, the system vulnerability was closed by August 2023, and the authorities notified relevant parties to take action. Kemenkes and BSSN collaborated to resolve the issue.
What criticisms have been raised regarding the Indonesian government's handling of the breach?
-Experts have criticized the government for failing to learn from previous data breaches, pointing to a lack of awareness of system vulnerabilities, and calling for stronger protections to secure citizens' personal data. The government has been urged to improve its cybersecurity measures and legal framework.