A massive data breach reportedly involving the personal particulars of more than 15 million customers and staff of Indonesia’s largest Islamic bank earlier in May underscores the need for improved cyber security in the archipelago.

The incident involving Bank Syariah Indonesia (BSI), which first surfaced on May 11 and also disrupted the bank’s services, has cast a spotlight on digital security in the world’s fourth most populous nation.

Experts say more needs to be done to beef up online defences in all sectors of the economy to minimise potential losses for users and businesses.

Claiming responsibility for the BSI attack, hacker group LockBit reportedly demanded that BSI management contact them, and threatened to release information such as customers’ and employees’ contact details, financial documents, card details and passwords to the dark web unless the bank paid a ransom of US$20mil (RM91mil).

The dark web is a part of the Internet accessible only by means of special software, allowing users and website operators to remain anonymous or untraceable.

It is rife with illegal transactions such as the buying of stolen information, hacking tools and drugs.

Chat logs have surfaced of what appears to be negotiations that BSI had with LockBit, which experts stressed is the wrong thing to do.

Big bucks: The bank made an initial offer of US$100,000 (RM456,200) for the data, which the hackers supposedly declined. — AFP

“Modern ransomware gangs are very cunning and persuasive. It is not advisable to negotiate with ransomware operators – it is better to focus on attack prevention instead,” said Roman Rezvukhin, head of the malware analysis and threat hunting team at global cyber-security firm Group-IB.

But should organisations find themselves in a position where they are unable to regain control of their network, it is important to rely on professional incident response services, he added, noting that companies who decide to handle incidents on their own usually do not succeed.

“Doing so most often leads to an increased ransom demand. An experienced negotiator can at least buy a victim extra time for proper incident containment to make sure that attackers do not maintain access to a network in case a victim decides to pay,” said Rezvukhin.

The chat logs that were shared on social media show that the bank made an initial offer of US$100,000 (RM456,200) for the data, which the hackers supposedly declined, asking for 20 times that amount.

Direct negotiations with cyber criminals do not guarantee that targets will get their files back, and should thus be avoided, said Parvinder Walia, president of Asia-Pacific and Japan at ESET, a global security software firm based in Slovakia.

“It also validates the business model behind the crime, and enables ransomware gangs to research and develop new exploits, which may give rise to more sophisticated, costly attacks in future,” added Walia.

Indonesia’s National Cyber and Crypto Agency (BSSN) said on May 15 that it had communicated with BSI upon discovery of the incident, adding that the bank had conducted its own independent investigations.

While it is not yet known how hackers managed to get information from BSI’s database, BSSN said that the bank has since recovered its electronic system and increased its digital security.

The Indonesian government is clarifying details of the cyber attack, after it received reports of a data leak that took place as a result of the incident.

Actions will be taken and penalties could potentially be doled out so that similar attacks do not occur again, said a senior official from the Communication and Informatics Ministry on Monday.

Yeo Siang Tiong, the general manager for South-East Asia at Russian cyber-security firm Kaspersky, said that organisations like BSI should take preventive measures to increase their resilience against attacks, and cyber security should be seen as part of daily life, rather than as a reactive measure.

Such steps include conducting attack simulations, having a recovery action plan in place, and implementing comprehensive data back-ups.

Yeo, as well as other experts, also advocated for increased cyber hygiene awareness on the part of both companies and individuals.

“Many forward-thinking companies have already embraced intelligence-driven cyber-security solutions that allow them to stay informed about upcoming attacks,” said Group-IB’s Rezvukhin.

“Employees need to be trained to properly recognise and report on phishing attempts, which remain one of the main infection vectors in ransomware attacks.” — The Straits Times/ANN