Massive data breach hits Indonesian Election Commission’s website: 204 million voter records stolen and allegedly being sold on dark web

INDONESIA – The official website of Indonesia’s General Election Commission (Komisi Pemilihan Umum or KPU) has fallen victim to a hacker named Jimbo, with 204 million voter records being compromised.

The anonymous hacker claims to have successfully breached the site, kpu.go.id, and obtained sensitive voter data.

Pratama Persadha, Chairman of the Cyber Security Research Institute CISSReC, revealed that Jimbo shared 500,000 sample data on BreachForums, a dark web forum platform notorious for trading hacked information.

Additionally, screenshots from the website https://cekdptonline.kpu.go.id/ were posted to validate the accuracy of the acquired data.

Jimbo’s loot reportedly contains 252 million entries, including duplicated records. After filtering, approximately 204,807,203 unique entries remain, nearly matching the total number of registered voters in the KPU’s Permanent Voters List (DPT) across Indonesia’s 514 districts and cities, as well as 128 representative countries.

Screenshots from BreachForums. (Photo: the documentary of Cyber Security Research Institute CISSReC via BBC Indonesia)

The compromised data encompasses crucial personal information such as National Identity Numbers (NIK), Family Card Numbers (KK), Identity Card Numbers (KTP), full names, gender, birthdate, birthplace, marital status, complete address, residential codes, sub-districts, and regional codes.

Pratama warned that Jimbo offers this extensive dataset for a staggering US$74,000 or approximately IDR 1.2 billion. He also confirmed that CISSReC independently verified a random sample through the cekdpt website, finding a match with Jimbo’s shared data, including the Polling Station Numbers (TPS) where voters are registered.

One alarming revelation from Jimbo’s screenshots indicates possible access to the KPU’s administrative dashboard. The breach likely occurred through phishing, social engineering, or malware, prompting CISSReC to issue a vulnerability alert to the KPU Chairman on 7 June 2023.

(Photo: the documentary of Cyber Security Research Institute CISSReC via BBC Indonesia)

Expressing the gravity of the situation, Pratama emphasized the potential threat to democratic elections. If Jimbo indeed holds admin credentials, there is a risk of manipulating vote tallying results, potentially sparking nationwide unrest.

To address the breach, CISSReC recommended an immediate audit and forensic examination of the KPU’s security systems and servers. They also advised the KPU’s IT team to change usernames and passwords for all accounts with system access to prevent further unauthorized use.

KPU Chairman Haysim Asy’ari assured the public that the KPU is actively coordinating with the Indonesian National Police, the National Cyber and Crypto Agency (BSSN), the State Intelligence Agency (BIN), and the Ministry of Communication and Information Technology (Kemenkominfo) to address the situation.

In response, Deputy Minister of Communication and Information Nezar Patria stated that Kemenkominfo is awaiting detailed information from the KPU to ascertain the nature of the data breach, whether it originated from internal systems or other factors.

Meanwhile, Minister of Communication and Information Budi Arie Setiadi has sent an official letter to the KPU, seeking clarification on the alleged data leak in the Voter List for the 2024 Election. He emphasized the concurrent collection of information by Kemenkominfo to support the investigation.

Budi also reminded all Electronic System Organizers (PSE), both public and private, to enhance their cybersecurity capabilities to protect the personal data they manage.

This incident echoes previous breaches in 2020, where 2.3 million Indonesian citizens’ and voters’ data was allegedly leaked by a hacker using the anonymous account “Underthebreach” on a hacking forum.

Two years later, in 2022, the account “Bjorka” claimed control over 105 million Indonesian resident data, obtained through a KPU site breach, selling it for approximately IDR 77 million on BreachForums.

Annisa N. Hayati, a researcher from the Institute for Policy Research and Advocacy (ELSAM), highlighted the recurring issue of incomplete investigations into KPU data breaches. She pointed out the pattern of denial following each incident, emphasizing the need for thorough and transparent investigative processes to address such security lapses.

“Now, typically, whenever there’s a leakage incident, the response is always denial,” clarified Annisa.