Leakage of personal data happened to the online financial and loan platform, KreditPlus. Based on reports, there are around 896 thousand of KreditPlus user data that have been leaked and sold.
This data breach was reported by a researcher and cybersecurity consultant Teguh Aprianto through his Twitter account @secgron. He shared a screenshot in the form of a CreditPlus user data offer by a Megadimarus account in one of the hacker forums, RaidForums.
According to quote of Kumparan, based on HaveIBeenPwned data leak tracking site, leaked data of KreditPlus users includes ID number, full name, date of birth, email address, office name, family member name, gender, monthly salary, marital status, mother’s name, handphone number, spouse name, and religion.
The data leak itself occurred on June 23, 2020. But the new CreditPlus data seller account was on June 27, 2020 by Megadimarus.
The Ministry of Communication and Information Technology has sent a letter to KreditPlus related to the alleged leak of user data.
“We have sent a letter to KreditPlus for clarifying this matter when reporting the problem of leakage to the Ministry of Communication and Information,” said the Director-General of Informatics at the Ministry of Communication and Information Technologi, Semuel Abrijani Pangerapan.
Through its official statement as quoted by KompasTekno, Wednesday (8/5), Semuel said, as a digital service provider, KreditPlus is obliged to protect the user’s personal data.
The provisions contained in Government Regulation Number 71 Year 2019 regarding the Implementation of Electronic Transactions and Systems (PSTE) related to personal data protection standards.
Regulation of the Minister of Communication and Information Technology Number 20 Year 2016 concerning Protection of Personal Data in the Electronic System also contains the same provisions.
KreditPlus stated that they immediately investigated the internal system after reports of their customer data leaked.
After the internal investigation, they found there was data theft.
Kreditplus has invited a digital forensic expert and reported this incident to the National Siber and Sandi Agency (BSSN) as an investigation to find the issue of data theft.
Creditplus Director Peter Halim explained the move was to uncover who was behind the burglary of Creditplus credit data that was allegedly carried out by a third party.
“To discuss the case, KreditPlus has invited leading digital forensics experts and will immediately report this incident to the BSSN,” Peter said in an official statement, Wednesday, August 5.
Regarding the protection of customer data, KreditPlus has implemented a multi-layered security system in the form of a one-time password (OTP) code.
Kreditplus is a finance company since 1994 and focuses on financing motorcycles, cars, and heavy equipment. But recently it was rumored to have experienced a Creditplus data leak of 819,976 thousand.
Cybersecurity expert from CISSReC Pratama Persadha explained the leak of credit data that has occurred since July 16, 2020.
“Actually, KreditPlus data has long been shared in the middle of last month. Precisely on July 16, members of the raid forums are called ShinyHunters,” Pratama said in a written statement quoted by CNNIndonesia.com, Monday, August 3.
Selling data on raid forums is not a new thing. Previously, data from digital companies in Indonesia, starting from Tokopedia, Bhinneka was found sold in the digital market. The latest is 819 thousand total KreditPlus.