Cyberthreat.id - Yudi Prayudi, Islamic University of Indonesia (UII) Yogyakarta Head of Digital Forensic Study Center, suggested that the government immediately conduct a large-scale audit related to alleged data leakage of people undergoing Covid-19 tests.

"It takes a long audit to understand the data journey and where there are gaps," Yudi said when contacted by Cyberthreat.id on Monday (June 22)

Health data leakage, according to Yudi, is very risky for the data owner. Especially for now, health data about Covid-19 is sought by data brokers in the world.

Yudi said that the data of Covid-19 in Indonesia, which was so large and spread to regions, will have an impact on [data] security, because the surface attacks were very broad.

"There are gaps everywhere. If, for example, there are data leaks, the audit must be as large [as the data leaks]. Because we don't know what the data flow is like, "he said.

"How this data is submitted to whom, collected by whom, then reported to whom, then collected by whom, verified by whom. This is related to public administration, right?"

"Well, the data relating to public administration, including data that is quite a target. Why? Because the data on average contains personal information," Yudi said.

With the length of the Covid-19 data report, Yudi questioned which level of data protection was carried out.

"Because health related data is private data, it should not be exposed," he said.

"If you are going to be exposed, you have to use an anonymous approach. So where is the mechanism of anonymizing the data? This becomes an important point to explore. "

Yudi also mentioned the need for the current government to concentrate on the management and security of Covid-19 data because this case continues to grow.

"The system developed will not be perfect from the get-go. There is a possibility that these processes also have gaps that might be exploited by the attackers, "he said.

The government, he said, could redesign the data collection starting from reporting, managing, approving data, and deleting data.

On June 18, 2020, in RaidForums -a forum on the deep web where people buy and sell data-, a person with the account name "Database Shopping" sold a database that claimed to contain personal data of 230 thousand people who took the Covid-19 test in Indonesia. The database is in a Mysql format.

The seller provided information on data samples sold, including report date, name, nationality, sex, age, telephone, residence address, type of contact, case relationship, risk start date, risk end date, sick start date, outpatient date, outpatient facility road, date of hospitalization, complaints of illness, date of taking samples, type of check, date of sending samples, date of taking results, final status, date of rapid test, results of rapid test, date of PCR test, and results of PCR test. []