The first that Indonesia heard about the hacker now known as Bjorka came when news broke at the beginning of September of a massive data leak.
Some 1.3 billion SIM card registration details were stolen and listed for sale on a dark web online marketplace. The data was harvested in part as a result of a change in policy in 2017, requiring that anyone using an Indonesian SIM card first register it in their name using their identity card, known as a KTP, and their family card, known as a KK.
If the leaks had ended there, or if Bjorka – who appears to have taken their name from the Icelandic singer Bjork – had listed more online data seemingly purely for financial gain, perhaps the story would not have gained much traction. But in the weeks after the data leak, Bjorka has attracted something of a cult following online thanks to an intriguing personal backstory and a series of spats with the increasingly frustrated Indonesian government.
“I just wanted to point out how easy it is for me to get into various doors due to a terrible data protection policy. Primarily if it is managed by the government,” Bjorka posted on Twitter on September 10, using the now-suspended account @Bjorkanism.
The hacker wasn’t wrong.
“Apart from the obvious concerns about what data Bjorka actually has, and how the leaks occurred, the case shows serious weaknesses in Indonesia’s overall approach to cybersecurity over the years,” research analyst Uday Bakhshi told The Diplomat.
“Attacks happen frequently and target the government, businesses, and citizens. Prominent ministers should not be saying that the Bjorka leaks are fine,” he added.
In the days following the initial leak of the SIM card data, the Indonesian government sought to downplay Bjorka’s hacking efforts, while Semuel Abrijani Pangerapan, the director general of informatics application at the Ministry of Communication and Information, tried to reason with any would-be hackers.
“If you can, don’t attack. Every time data is leaked, the people lose out, because that’s illegal access,” Pangerapan said at a press conference on September 5. “If you want to embarrass the government, find other ways to do it.”
Bjorka’s reply was succinct: “My message to the Indonesian government: Stop being an idiot.”
Fact or Fiction?
Bjorka has continued to post content on Twitter, despite several account suspensions, doxxing a number of Indonesian ministers and political figures and posting jibes about others, including Minister of State-Owned Enterprises Erick Thohir and the parliamentary speaker, Puan Maharani.
Amongst other things, Bjorka has called out political figures about the rising cost of fuel, which has caused protests across the country. This has given the shadowy figure a kind of Robin Hood status, as a representative of the people holding the government to account, particularly after they threatened to release a database of presumably hacked information about Pertamina, the Indonesian state-owned oil and gas corporation.
This image was further bolstered when Bjorka posted a series of messages on September 11, in which they claimed that they had “a good Indonesian friend in Warsaw and he told me how messed up Indonesia is.”
“I did this for him,” Bjorka added of his recent data leaks.
Bjorka also mentioned that their “friend” had left Indonesia as a result of the “1965 policy” – an apparent reference to the anti-communist purges of 1965 and 1966 which saw thousands of Indonesian intellectuals, academics, activists and political figures leave the country following mass killings of suspected communist sympathizers. Between 500,000 and 1 million people are estimated to have been killed in the anti-communist purges.
While impossible to verify, this colorful backstory added a distinctly political tone to Bjorka’s recent hacks.
Analysts told The Diplomat that, in addition to the online hijinks, Bjorka’s antics highlight the deeper question of Indonesia’s lack of preparedness around cybersecurity.
“What Bjorka has done is expose the existing vulnerabilities in our data protection mechanism and regulations by showing how ‘easy’ it is to gain access to personal data across databases,” Beltsazar Krisetya, a researcher at the Department of Politics and Social Change at the Centre for Strategic and International Studies, who focuses on cybersecurity issues, told the Diplomat.
“What the government has done in response to the attack, ironically, exposes such vulnerabilities even further.”
The government has set up a data protection task force consisting of the National Cyber and Crypto Agency (BSSN), the Ministry of Communication and Information (Kominfo), the Indonesian National police (Polri) and the Indonesian Intelligence Agency (BIN), which Krisetya said went against the very premise of BSSN’s establishment in 2017 as the agency was set up to end overlapping authorities across government institutions dealing with cybersecurity matters.
“The government’s step to create yet another authority shows how fragmented our cybersecurity governance is, and that none of the existing institutions has the coordinating authority to respond to cyber incidents,” he added.
A spokesperson for the President’s Office declined to comment on the case when contacted by The Diplomat.
A History of Threats
Data leaks, cybercrime, and hacking are issues that have long plagued Indonesia.
“This isn’t the first major data breach in Indonesian history and it is very unlikely to be the last,” said Gatria Priyandita, an analyst at International Cyber Policy Centre at the Australian Strategic Policy Institute. “Ultimately, the government must lead by example by ensuring that it is capable of protecting the data of everyday Indonesians by improving its own cybersecurity infrastructure,”
At the end of August, the data of over 17 million customers of the State Electricity Company (PLN) was leaked online and, earlier that same month, confidential documents from over 21,000 Indonesian companies were also released.
In 2020, the details of 91 million customers of e-commerce site Tokopedia were sold online and, the following year, the social security details of some 279 million people were leaked by hackers.
Over the years, many have lamented the absence of the Personal Data Protection Bill, a piece of legislation designed to protect the data of Indonesian citizens, which languished in parliament from 2016 to 2022.
The bill was passed in a flurry of activity on Tuesday, in response to the recent leaks and means that anyone mishandling data can now be jailed for up to six years.
There will now also be a two-year transition period as the new law takes effect.
“The government pushed through the Personal Data Protection Bill, but it should have been ratified years ago, and not in response to Bjorka,” research analyst Bakhshi said, adding that, “The law should not however be the only safeguard against cybersecurity threats; there needs to be better awareness and a shift in attitudes, amongst other measures.”
Krisetya agreed, telling The Diplomat that the government needs to be more active in addressing potential repercussions from already leaked personal data, and that bad actors could use such leaked personal data including names, phone numbers, and dates of birth for online fraud, harassment, abuse, or even cyber terrorism.
He also added that current priorities could seem out of touch and that “the government’s resources appear to be directed towards apprehending Bjorka, instead of patching our vulnerabilities.”
For its part, the government has made an arrest in the case, namely that of an iced drinks seller from Madiun, East Java.
According to the man’s mother, the family does not have home internet or a laptop, but police last week charged Muhammad Agung Hidayatullah, 21, with helping Bjorka set up a Telegram channel. Hidayatullah has admitted he sold his Telegram channel to Bjorka or his administrators, but denied being a member of the hacker’s “team.” The development has only added to the public intrigue around the case.
Contributing to the ruckus that the case has caused is the fact that it is not clear if the hacker known as Bjorka is an Indonesian national, or if they are even in the country, something that could be an issue if the authorities wish to bring them to justice.
“This is really an issue of jurisdiction,” Kosman Samosir, a lecturer in international law at Santo Thomas Catholic University in Medan, said. “If Bjorka is abroad, they would have to be extradited to Indonesia, which is not an easy thing to do.”
Any requests for extradition would depend on whether Bjorka is residing in a country that has an extradition treaty with Indonesia, and whether the Indonesian authorities can build a credible case against them in order to satisfy any extradition request.
Last Wednesday, Coordinating Minister for Legal, Political, and Security Affairs Mahfud MD said that the authorities are working hard to discover the hacker’s identity and are pursuing a number of credible leads in the case, a statement that Bjorka described on social media as “complete bullshit.”
“The government’s failure to protect the billions of data supposedly leaked in the Bjorka attacks demonstrate the lack of interest and political will in the data security of ordinary Indonesians,” analyst Priyandita said of the recent developments
“The government’s response has, thus far, demonstrated just how reactive the government has been to addressing threats in cyberspace.”