Multiple leaks involving 13 Indonesian government agencies
This week’s Cyber Intelligence House, Leak of the Week highlights multiple leaks involving 13 Indonesian government agencies. These are national ministries and agencies operating under the .go.id domain.
Multiple dataset was shared on Hacker Hometown (private Telegram channel), containing official documents and scans linked to identity administration, taxation, procurement, banking, and internal operations. Upon analysis, 33,726 files were identified, consisting of 33,090 PDF, 221 DOCX, 200 XLSX, 132 DOC, 83 XLS, adding up to 34.6 GB.
Impacted domains: atrbpn.go.id, bkn.go.id, bp2mi.go.id, bumn.go.id, dephub.go.id, kemenkeu.go.id, kemenparekraf.go.id, kemenpora.go.id, kemhan.go.id, lelang.go.id, pajak.go.id, pu.go.id, setneg.go.id.
Sensitive categories inferred from filenames and directory context include identity records (KTP, KK, passport), tax identifiers/filings (NPWP, SPT), banking authorizations and account artifacts, signed contracts and formal agreements, invoices and receipts, procurement/tender documentation, HR records, and multiple files referencing access and credentials (admin, login, VPN). Observed filename indicators include at least 734 tax/NPWP/SPT references, 577 procurement/tender references, 280 access/credential references, 250 HR/biodata references, 236 contract/agreement references, and 149 identity-document references. These are conservative counts of filenames explicitly signaling sensitive content.
Implications
For individuals: heightened identity theft risk from combined KTP and NPWP attributes, increased targeted phishing reusing authentic forms and signatures, and potential financial fraud against bank or payroll channels if authorization letters or statements are present.
For the impacted agencies: regulatory and privacy exposure from large scale PII leakage, operational and financial risk from revealed contract, invoice, and procurement data enabling business email compromise, and reputational impact requiring verification, notification, and coordinated takedowns.
Supply Chain Risks
Vendors and banking partners referenced in contracts, tenders, and invoices face impersonation, manipulated purchase orders, and altered settlement instructions. MSSPs should anticipate downstream targeting of integrators, local contractors, and financial intermediaries named in these materials.
Cyber Intelligence House’s Recommendations
Index, apply hash-tracking to detect mirrors, and submit coordinated takedown requests for reposts tied to Hacker Hometown and related hosts. Prioritize triage and notification for records containing KTP/NPWP or banking authorizations, and implement call-back verification for payment-channel changes with banks. Protect the data by encrypting identity scans and finance files, keeping them only as long as needed, and enabling data loss
prevention. Require suppliers to change exposed document links/identifiers and verify out-of-band before honoring any payment updates.
