Facepalm: It's bad enough when companies don't back up their data, but it's even worse when a country's government ignores this basic rule. It's been revealed that Indonesia has no data backups, which is doubly problematic as it's recently been hit with a ransomware attack.
On June 20, Indonesia's Temporary National Data Center (PDNS), which is operated by the Ministry of Communication and Information Technology, was compromised by a variant of the LockBit 3.0 malware called Brain Cipher. Like most modern ransomware, Brain Cipher exfiltrates sensitive data and encrypts it, also known as double extortion.
At least 210 institutions have been impacted and some of the country's services faced severe disruption. The cybercriminals, described as a non-state actor, are demanding 131 billion Rupiah ($8 million) for the decryption key. Communication and Informatics Minister Budi Arie Setiadi says the government does not intend to pay, and that authorities are attempting to decrypt the data themselves. Government services are expected to be fully restored by August.
The ransomware attack also revealed that 98% of the government data stored in one of the two compromised data centers had not been backed up. As a result, Indonesian President Joko Widodo has ordered an audit of all government data centers.
Yusuf Ateh, who heads Indonesia's Development and Finance Controller (BPKP), said (via Reuters) the audit would cover "governance and the financial aspect."
Vice President Ma'ruf Amin said the scale of the damage was due to the centralization of government networks. "Once it was centralized, it turned out that once it was hacked, everyone was affected. I didn't think hacking was so devastating in the past."
Hinsa Siburian, chair of Indonesia's cybersecurity agency, said, "Generally we see the main problem is governance and there is no backup."
Budi has confirmed that the ministry did have backup capabilities at the data centers, but it was optional for government agencies to use the service. He blamed budgetary constraints for why the backup service hadn't been used, adding that this would soon become mandatory.
News of the lack of backups and the explanation for this has been met with anger and calls for Budi's resignation. "If there is no back up, that's not a lack of governance," said Meutya Hafid, the chair of the commission overseeing the incident. "That's stupidity."