Indonesia, suffering from a ransomware attack, discovers it has no backups — 'That's stupidity,' remarks astute government official

Jakarta skyline in Indonesia
(Image credit: Shutterstock)

A cyber attack in Indonesia that’s been called the worst in years exposed a critical mistake in the country’s information technology policy. Almost none of the data in one of the two data centers hit by the ransomware attack is backed up, meaning it cannot be restored other than by decrypting the affected servers’ storage systems.

The attack happened on June 20, when a “non-state actor” compromised Indonesia’s Temporary National Data Center (PDNS) using a variant of the LockBit 3.0 malware called Brain Cipher. This software not only extracts sensitive data but also encrypts it on the servers. The attacker has demanded a ransom of $8 million, which the government says it does not intend to pay.

The attack affected over 230 public agencies in Indonesia, including ministries, and severely disrupted several critical national services. These included important government services such as immigration and operations at major airports.

After the impact became clear, Indonesian President Joko Widodo ordered an audit of the country’s data centers. Muhammad Yusuf Ateh, who leads Indonesia’s Development and Finance Controller (BPKP), said the audit would cover “governance and the financial aspect” of the cyberattack.

An official from Indonesia’s cyber security agency told Reuters that 98% of the government data stored in one of the two compromised data centers had not been backed up. While the data center had the backup capacity to store the data, it wasn’t required. Many government agencies did not use the backup service because of budget constraints.

Since then, some have called for Budi Arie Setiadi, Indonesia’s communications director, to resign his post. Setiadi’s ministry is responsible for running the data centers. Setiadi, they say, has failed to take responsibility for multiple cyber attacks on the nation.

The commission chair investigating the incident, Meutya Hafid, said, “If there is no back up, that's not a lack of governance. That's stupidity.”

Indonesian authorities say they are trying to decrypt the data themselves. The team expects to have all government services fully restored by August.

Jeff Butts
Contributing Writer

Jeff Butts has been covering tech news for more than a decade, and his IT experience predates the internet. Yes, he remembers when 9600 baud was “fast.” He especially enjoys covering DIY and Maker topics, along with anything on the bleeding edge of technology.

  • Amdlova
    Backup is stupid... But now you can build your civilization from scratch
    Reply
  • TechyIT223
    No Amdlova. Having a backup isn't stupidity though. In fact it's's an essential part of the process in a world where we have to deal with huge amounts of data.

    This one would be detrimental to Indonesia in the long term. Im surprised to hear this news to be honest.
    Reply
  • COLGeek
    You would be shocked (maybe) at just how many government and business entities have no/inadequate backup solutions. Even multimillion/billion dollar companies and government offices at all levels.

    Ineptness at its worst.
    Reply
  • Exploding PSU
    Nah, they stated that the bad actors had "realised the errors of their ways" and offered to hand out the decryption key for free in a shocking heel-face turn, fiction style hero arc.

    It's so embarrassing. I mean, come on, even I back up my data regularly, and I don't know jack about tech (guess why I'm here)... How did they arrive at the maddening conclusion of "While the data center had the backup capacity to store the data, it wasn’t required. Many government agencies did not use the backup service because of budget constraints."

    Budget constraints? Seriously? Whatever happened to that 60+ million AUD budget?

    Please people, back up your data!
    Reply
  • nameless0ne
    Exploding PSU said:
    Nah, they stated that the bad actors had "realised the errors of their ways" and offered to hand out the decryption key for free in a shocking heel-face turn, fiction style hero arc.

    It's so embarrassing. I mean, come on, even I back up my data regularly, and I don't know jack about tech (guess why I'm here)... How did they arrive at the maddening conclusion of "While the data center had the backup capacity to store the data, it wasn’t required. Many government agencies did not use the backup service because of budget constraints."

    Budget constraints? Seriously? Whatever happened to that 60+ million AUD budget?

    Please people, back up your data!
    What usually happens (even with those national data centers) is those that store the data (agencies) need to pay additional fees for their data to be backed up. We have this in our country as well - a national data center to aggregate data from multiple agencies. This helps with upkeep costs and better resource use. But you need to "share" the cost meaning all the services from the data center need to be paid for. And if laws do not require to have a data backup then any agency would need to budget this "un-required" cost.
    All of this penny pinching and nearsightedness has lead to this situation.
    One could say that the data center operator is to blame since the breach was on it's side. But they likely have contracts that absolve them from any backlash.
    Reply