Bank Syariah Indonesia (BSI) ransomware attack

On 8 May 2023, Bank Syariah Indonesia (BSI) — the country's largest Sharia-compliant bank, formed from the 2021 merger of three state-owned Islamic banks — suffered a multi-day outage of its ATMs, mobile banking, and branch services. The LockBit ransomware gang later claimed the attack and leaked 1.5 TB of stolen data after BSI declined to pay a US$20 million ransom.

What happened

Customers across Indonesia found ATMs, the BSI Mobile app, and in-branch transaction systems unavailable starting 8 May. The bank initially attributed the disruption to system maintenance, but the outage stretched across several days, fuelling speculation of a cyberattack.

On 13 May 2023, the LockBit ransomware operation posted BSI on its dark-web leak site, claiming to have exfiltrated 1.5 terabytes of data spanning nine databases. LockBit said the trove covered roughly 15 million customers and employees, including names, phone numbers, addresses, account and card numbers, transaction histories, and internal documents. The gang set a 72-hour deadline and demanded US$20 million.

Impact

BSI's core banking services were degraded or offline for several days, affecting millions of customers during the period overlapping the Eid post-holiday season.
LockBit claimed 1.5 TB of data on around 15 million customers and staff.
When negotiations failed, LockBit published the full dataset on 15 May 2023, moving the incident from extortion to a confirmed mass data leak.

Response

BSI publicly confirmed a cyberattack on 16 May, while maintaining that customer funds were secure and that services had been restored. Indonesia's Financial Services Authority (OJK) and the National Cyber and Crypto Agency (BSSN) engaged on the incident. The bank did not pay the ransom.

Why it matters

The BSI breach was a watershed for financial-sector resilience in Indonesia: a systemically important bank suffered both prolonged service disruption and a full customer-data leak, undermining trust during a sensitive religious-banking period. It foreshadowed the 2024 National Data Centre attack by the same LockBit-derived ecosystem, reinforcing concerns about Indonesia's exposure to ransomware operators using the LockBit 3.0 toolkit and the limited recourse available to victims under the country's nascent data-protection framework.

Timeline

May 8, 2023

BSI's ATM network, mobile app, and branch transaction systems go offline; the bank initially calls it routine maintenance.

May 13, 2023

LockBit claims responsibility, stating it stole 1.5 TB of data and demanding a $20 million ransom within 72 hours.

May 15, 2023

With the deadline expired and no payment made, LockBit publishes the stolen dataset on its leak site.

May 16, 2023

BSI confirms a cyberattack while asserting customer funds and data remained safe; services are largely restored.

Sources

thecyberexpress.comhttps://thecyberexpress.com/lockbit-bank-syariah-indonesia-cyber-attack/

coconuts.cohttps://coconuts.co/jakarta/news/explained-the-ransomware-attack-on-bsi-indonesias-largest-islamic-bank/

izoologic.comhttps://izoologic.com/2023/05/16/lockbit-hits-indonesian-bank-bsi-with-a-ransomware-attack/

thejakartapost.comhttps://www.thejakartapost.com/paper/2023/05/16/data-breaches-still-haunt-indonesia.html

Related incidents

RansomwareContainedNovember 9, 2023

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim: ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss: $9.00B

RansomwareContainedDecember 8, 2023

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim: Westpole / PA Digitale (Urbi platform)

RansomwareContainedOctober 27, 2023

Boeing LockBit ransomware via Citrix Bleed (2023)

LockBit operators exploited the Citrix Bleed vulnerability (CVE-2023-4966) to enter Boeing's parts and distribution business. Boeing did not pay; LockBit leaked roughly 45 GB of data, including Citrix logs, email backups, supplier lists, and 2020 pricing data.

Victim: Boeing — Parts and Distribution business

RansomwareContainedFebruary 8, 2023

Indigo Books LockBit ransomware

LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.

Victim: Indigo Books & Music Inc.
Loss: $40.0M
Records: 5.0K