Jakarta, Cyberthreat.id - Chair of the Indonesian Consumer Community (KKI), Dr. David Tobing said he was disappointed with the government's attitude regarding the leakage of customers' personal data on the Tokopedia shopping site.
That disappointment is one of the reasons why KKI took the Minister of Communication and Information of the Republic of Indonesia and PT Tokopedia to court.
"We are disappointed that the Minister of Communication and Information seems to be facilitating Tokopedia, but neglected to swiftly investigate. This is too prolonged," said David when contacted by Cyberthreat.id in Jakarta, Friday (May 8, 2020).
On Wednesday, through its attorney Akhmad Zaenuddin, KKI sued the Minister of Communication and Information Technology RI (Defendant I) and PT Tokopedia (Defendant II).
The lawsuit is registered in an e-court at the Central Jakarta District Court Online Registration Number: PN JKT.PST-0520201XD dated May 6, 2020.
On May 2, Under the Breach, an Israeli cybersecurity company, found hackers sharing a database of 15 million Tokopedia users on a darkweb forum called RaidForums.
Before selling a database of 91 million user accounts worth Rp 74.3 million, the hacker initially asked other hackers to help him crack user passwords that were still encrypted.
That database on offer on the forum showed snippets of usernames, full names, emails, genders, cell phone numbers, among other things. Since the news went viral on social media, many people from Indonesia entered RaidForums to download the database.
The following are excerpts of the Cyberthreat.id interview with Dr. David Tobing:
What are your thoughts on the government's actions in handling the Tokopedia data leak case?
The government has been handling this data leakage case very slowly, they should report it to the police. If indeed the data was stolen or if there was breach in the system, it should have been investigated immediately. We have the capacity to do so.
The Ministry of Communications and Informatics should have been keeping watch and coaching. They should have been conducting periodic supervision.
Has personal data security standard procedures been implemented? Is the security of the electronic system provider (PSE) in accordance with existing regulations? Or have they exceeded the best practices adopted by other platforms around the world.
We are disappointed that the Minister of Communication and Information seems to be facilitating Tokopedia, but neglected to swiftly investigate. This is too prolonged.
This periodic monitoring presented by my [lawsuit] places the Ministry of Communications at fault for neglecting to supervise PSEs properly.
Will this data leak change regulations in Indonesia?
There is no need to wait for the Personal Data Protection Act to be passed. With the existing authority, the minister should be able to make regulations that are more pro-consumer.
Regarding data centers in Indonesia or not, the minister can determine, but must really side with the protection of personal data.
They have a very lax grip on the situations, it has been almost a week, but no actions have been taken and no announcements made. It should have been easily investigated, even hoaxes can be uncovered. Did the leaks originate from the inside or outside?
The leaks also showed that Tokopedia’s system security is no longer feasible.
What about consumer protection regulations in the digital age?
For consumer protection regulations in the digital age, it is affirmed in the Trade Act. Then, there is Government Regulation Number 80 Year 2019 regarding Trade through Electronic Systems.
These laws regulate how the apps and electronic platforms should protect consumers. The Ministry of Trade's authority can blacklist platforms that violate consumer rights.
The regulations exist, but the two years adjustment clause is regrettable, it’s too long.
Some criteria of the law are adhered by platforms, but they are “adjusted,” and this is regrettable because it is taking too long.
(David also mentioned the Personal Data Protection Bill. He hoped that with the Tokopedia case, the House of Representatives and the government would quickly discuss the bill. With the existing technology allowing us to conduct meetings online, there is no reason for Covid-19 to hamper discussions of the bill.)
You’ve filed many lawsuits and won them, are you sure this time you will win?
Lawsuits are not about winning or losing, but about how we educate regulators and businesses.
For example, take the phone credit theft case I used to sue in 2011 and I reported to the police.
The case has not been closed, and yet a new regulation was issued, that there should be no activation of paid services without the consent of the consumer. Finally, all were ordered to turn off additional paid services, such as ringback tones.
This lawsuit will be the same, it should serve as a wake-up call to regulators and businesses, that consumer [data] should be respected.
If you look again at the evidence available, this lawsuit should be very clear, what we are asking is not far-fetched, but also complies with existing regulations.
We’re not asking for the fines to be paid to us, or the consumer community, but instead to the state treasury.
What evidence will you use to prove your case?
For proof, the problem of data leakage has clearly occurred. Not only do we see that the data is traded on the web, but there is also a ministerial statement confirming that there was indeed a data leak.
We are very disappointed that the statement did not make it clear that names, addresses, phone numbers and other datas were leaked, but instead tried to assure us by saying “don’t worry, your passwords are safe and financial data are safe.”
In fact, according to the provisions of the Ministry of Communication and Information about personal data it must already be notified to the parties whose data was leaked.
Furthermore, regarding what losses were incurred, I mentioned in the release that “worried customers” are protected by law under unexpected losses.
Unforeseen losses in law are called immaterial losses. So in this case if later there are people who are truly disadvantaged, the community can sue.
So, in the lawsuit we said that they (Tokopedia) must apologize and be willing to compensate the community for losses. While we are asking for Rp 100 billion as a fine. If we look at Europe, fines can reach up to Rp 300 billion.
So, we ask, because the community has experienced immaterial losses, feelings of anxiety, while Tokopedia is also not forthright, so we ask that they be terminated first. Then, in the final ruling we ask that the organizer of the system be revoked.
Considering that the community has experienced immaterial losses, anxiety over loss of data, and Tokopedia’s lack of clarity, we ask that they temporarily cease operations, and ultimately for their system provider to be revoked.
Have many users have reported to KKI?
There are several users who have reported to me, more than 10. In their report, one of them wrote on Facebook that he received several messages of unknown origins. I always tell them to demand answers from Tokopedia.
There are sites online where we can find out whether or not our data has been compromised, and there we confirmed that those who reported to us indeed had their data leaked. So apart from reports from the public, the minister himself has confirmed the leaks.