BPJS Kesehatan data leak
Personal data on an estimated 279 million Indonesians — more than the country's living population — was scraped from the national health-insurance agency BPJS Kesehatan and offered for sale on the RaidForums hacking forum.
- Victim
- BPJS Kesehatan
- records
- 279.0M
- users
- 279.0M
In May 2021, a seller on the RaidForums hacking marketplace advertised a database containing the personal records of an estimated 279 million Indonesians — a figure larger than the country's roughly 270 million living population, implying the trove included deceased individuals and duplicate entries. The data was traced to BPJS Kesehatan, Indonesia's national health-insurance administrator, making it one of the largest personal-data exposures ever recorded in Southeast Asia.
What happened
On 12 May 2021, a RaidForums account using the handle "Kotz" posted an offer to sell the full dataset for 2 bitcoin (roughly US$74,000 at the time), and published a free sample of about 1 million records to prove authenticity. Researchers who examined the sample found it consistent with BPJS Kesehatan's membership records.
The exposed fields reportedly included full names, national identity (NIK) numbers, identity-card details, home addresses, phone numbers, email addresses, dates and places of birth, and — for some records — salary information. Because BPJS membership is effectively mandatory for Indonesian residents, the breach touched nearly the entire population.
Impact
- An estimated 279 million records were offered for sale, including data on living and deceased citizens.
- The exposed combination of NIK numbers, addresses, and contact details created broad risk of identity theft, SIM-swap fraud, and targeted phishing.
- Investigators determined the data was likely exfiltrated through compromised access rather than encrypted-system disruption; BPJS services remained operational.
Government response
The Ministry of Communication and Information (Kominfo) confirmed the breach originated from BPJS data and moved to block forum access and takedown the download mirrors hosted on cloud-storage services. Kominfo coordinated with BPJS Kesehatan and the National Cyber and Crypto Agency (BSSN) on a forensic investigation. BPJS executives were summoned by lawmakers, and officials publicly acknowledged that Indonesia's data-protection safeguards were inadequate.
Why it matters
The BPJS Kesehatan leak became the defining example of Indonesia's weak data-governance regime in the period before the country enacted its Personal Data Protection Law (PDP Law) in 2022. With no comprehensive privacy statute in force at the time, neither the agency nor the government faced statutory penalties, and no individual was ever held accountable. The incident — alongside the contemporaneous eHAC and PeduliLindungi exposures — drove sustained public and parliamentary pressure that ultimately produced Indonesia's first omnibus data-protection law.
Timeline
A RaidForums user named 'Kotz' advertises a database of 279 million Indonesians for sale, posting a free sample of around 1 million records.
Indonesian media and researchers link the data to BPJS Kesehatan, the national health-insurance agency.
The Ministry of Communication and Information (Kominfo) confirms the data originated from BPJS and begins blocking access to the forum and download links.
Kominfo coordinates with BPJS and the National Cyber and Crypto Agency (BSSN) to investigate the source of the leak.
BPJS leadership is summoned by lawmakers; the government acknowledges weak data-protection safeguards.
Sources
- dataguidance.comhttps://www.dataguidance.com/news/indonesia-kominfo-confirms-breach-government-health
- thejakartapost.comhttps://www.thejakartapost.com/news/2021/05/23/alleged-breach-of-bpjs-data-points-to-indonesias-weak-data-protection-experts.html
- en.tempo.cohttps://en.tempo.co/read/1469740/bpjs-kesehatan-massive-data-breach-investigation-update
- en.antaranews.comhttps://en.antaranews.com/news/195925/ministry-to-issue-decision-on-bpjs-data-leak-soon