Information Technology

Indonesia finally has passed its personal data protection law that has been in discussions since 2016. The government believes the new Bill will be critical amidst a spate of data security breaches in the country. Indonesia’s House of Representatives earlier this month approved the Personal Data Protection (PDP) Bill, paving the way for its ratification on Tuesday. The country now joins other jurisdictions in Southeast Asia that have dedicated personal data protection laws, including Singapore and Thailand. Communications and Informatics Minister Johnny G. Plate had hailed the approval as a milestone and key to driving connectivity and advancements for the local digital sector. Plate said laws to safeguard personal data would help boost and facilitate the management of data security breaches, according to statutory board and state-owned news agency, Antara.Indonesian President Joko Widodo last week underscored the urgent need for relevant ministries to coordinate and investigate alleged breaches of personal data. The National Cyber and Encryption Agency on September 13 said it was investigating claims made by hackers, dubbed “Bjorka”, that they had access to the data of several government websites, presidential letters, and confidential documents from the intelligence agency. The same hackers in August said they obtained information from SIM card users, including their national identification number and contact details.That same month, personal details of 17 million customers of state-run electricity provider PT PLN (Persero) were leaked as were the data of 26 million customers of Telkom Indonesia’s internet and digital TV service IndiHome.The security breaches highlighted the urgent need for the data protection bill to maintain public trust, especially as personal information was required for public services and processed digitally, said Antara. Identity card numbers (NIKs), for example, often were used for registration of online apps and to process the purchase of train tickets.Citing stats from Surfshark, Antara said Indonesia ranked third as the country most affected by data breaches in the third quarter of 2022, with 12.7 million local accounts compromised.House of Representatives Speaker Puan Maharani said Monday: “This PDP Bill will provide legal assurance that every citizen, without exception, [has full control] over their personal data. Thus, there will be no more tears from the people due to online loans that they don’t ask for, or doxxing that makes people uncomfortable.” Maharani said derivative rules, including the establishment of a supervisory agency tasked to protect the public’s personal data, could be formed immediately after the Bill was ratified. She added that it would serve as a guide for ministries, agencies, and policy makers to main a robust national digital security environment.The Bill also is expected to bring together all existing and additional regulations into one. Indonesia currently has 32 laws governing the protection of personal data. Modelled on European Union’s General Data Protection Regulation (GDPR), Indonesia’s PDP Bill comprises various global components that are not included in its local regulations, such as sensitive personal data and data protection officer. The Bill will regulate all forms of data processing, including acquisition and collection, storing, updating and correcting, as well as deleting, according to Andre Rahadian, a partner and founding member of law firm Hanafiah Ponggawa & Partners (Dentons HPRP). Under the PDP Bill, for instance, personal data controllers will be required to update and correct errors in personal data within 24 hours after receiving the request to do so. The Bill also specifies underlying documents or circumstances under which personal data may be transmitted outside Indonesia, such as pre-obtained approval of the personal data owner and bilateral international agreements. It includes corporate penalties of up to 2% of an organisation’s annual revenue and up to six years jail terms for those deemed to have breached the law. Indonesia has an estimated 220 million internet users. The country also was projected to account for 40% of Southeast Asia’s 2021 e-commerce gross merchandise value (GMV), at $70 billion, according to the 2021 e-Conomy Southeast Asia report, which covers six regional markets: Singapore, Malaysia, Vietnam, Indonesia, Thailand, and the Philippines. The study also revealed that 80% in Indonesia had made at least one purchase online.RELATED COVERAGE More

Image: Getty Images The security breach that hit Uber last week was the work of Lapsus$, Uber said in a blog post Monday. The South American hacking group has attacked a number of technology giants in the past year, including Microsoft, Samsung, Okta and others.   Uber said it is in close coordination with the […] More

iStockphoto/Getty Images I deal with a lot of remote servers, most of which I access via Secure Shell (SSH). How I manage those connections depends on the operating system I use. If I’m on Linux, most often I simply default to the command line interface and make use of SSH’s config file (where I can […] More

Getty Images/iStockphoto I remember, back in the day, when the browser wars had reached a fit of pique such that no one could believe. A big part of this was driven by profit and how so many websites seemed hellbent on focusing on one browser or another. Some sites functioned only with Internet Explorer and […] More

Image: Getty Images/Westend61 The European Commission has proposed cyber-resilience legislation that could lead to cybersecurity labels and penalties for device manufacturers with shoddy cybersecurity features and practices.  The proposed law covers hardware and software of “products with digital elements” sold in the European Union and connected to any network.  The Cyber Resilience Act (CRA) proposal […] More

Image: Evolv Have you ever gone to a sporting event and spent what seems like an eternity just trying to get in? Security technologies can slow lines down to a grinding halt, and they’re not always effective – your necklace, keys, and belt may set the metal detector off, while weapons can still get through. […] More

Starbucks says personal data of some customers in Singapore has been compromised, including names, birthdates, and mobile numbers. While credit card details and passwords have not been leaked, it has advised customers to change their password.  The US F&B chain sent email messages to multiple customers on Friday, notifying them that it had detected “unauthorised activity online” as well as “some unauthorised access to customer details”. These included names, dates of birth, mobile numbers, and residential addresses, if the personal data had been provided to Starbucks.It said details related to its Rewards customer loyalty programme, such as stored value and credits, were unaffected. Credit card data also had not been compromised since it did not store such information, according to Starbucks.  The retailer said local authorities had been informed and it was assisting them on the security incident. While passwords were not compromised, the company urged its customers to reset their password immediately. ZDNET understands that hackers already are peddling the data on an online forum that specialises in the trading of stolen databases. In a September 10 post, the hackers claimed to have access to Starbucks Singapore’s “full database” containing more than 553,000 records and offered a sample dump. In its email, Starbucks said it had implemented additional measures to safeguard customer information, but did not provide details on what these entailed. ZDNET has reached out to the US retailer for more information, including how many customers were affected by the breach, what systems were breached, and when the breach was first uncovered. This article will be updated if and when Starbucks responds. RELATED COVERAGE More

Uber reportedly has suffered another massive security incident, which is likely more extensive than its 2016 data breach and potentially may have compromised its entire network. It also can result in access logs being deleted or altered. A hacker on Thursday was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP). “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”Uber since had shut down online access to its internal communications and engineering systems, while it investigated the breach, according a report by The New York Times (NYT), which broke the news. The company’s internal messaging platform, Slack, also was taken offline. The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and was able to persuade the staff member to reveal a password after claiming to be a corporate information technology personnel. The social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. With the employee’s password, the hacker was able to get into the internal VPN, said Acronis’ CISO Kevin Reed in a LinkedIn post. The hacker then gained access to the corporate network, found highly privileged credentials on network file shares, and used these to access everything, including production systems, corporate EDR (endpoint detection and response) console, and Uber’s Slack management interface. It was not known, though, how the hacker was able to circumvent the two-factor authentication after obtaining the employee’s password, Reed noted.”This looks bad,” he said, noting that it was likely hackers now could access whatever data Uber had. Asked if the impact was similar or potentially greater than Uber’s 2016 data breach, Reed told ZDNET the latest compromise was certainly large and “as big as it could be”. Every system Uber operated might have been compromised, he said. While it was unclear what data the ride-sharing company retained, he noted that whatever it had most likely could be accessed by the hacker, including trip history and addresses. Given that everything had been compromised, he added that there also was no way for Uber to confirm if data had been accessed or altered since the hackers had access to logging systems. This meant they could delete or alter access logs, he said. In the 2016 breach, hackers infiltrated a private GitHub repository used by Uber software engineers and gained access to an AWS account that managed tasks handled by the ride-sharing service. It compromised data of 57 million Uber accounts worldwide, with hackers gaining access to names, email addresses, and phone numbers. Some 7 million drivers also were affected, including details of more than 600,000 driver licenses.Uber later was found to have concealed the breach for more than a year, even resorting to paying off hackers to delete the information and keep details of the breach quiet. The ride-sharing company in 2018 reached a $148 million settlement to pay $148 million over the breach and coverup, with the monies distributed across the US. RELATED COVERAGE More