Indonesian ecommerce unicorn Tokopedia has launched Dhanapala, a standalone peer-to-peer fintech lending platform.The app is already available for download to Android users, although the company has made no public announcement yet of its launch.
Dhanapala’s service went online while Tokopedia and Indonesian government entities are still investigating a data leak that exposed the personal information of up to 91 million of the company’s users, including their names, birth dates, genders, email addresses, and phone numbers.The leak was revealed when the information of 15 million of those users was published online in May.The hacker or group of hackers going by the name Whysodank sold the block of information for US$5,000 on a dark web marketplace.
Photo credit: Tokopedia
Dhanapala’s launch raises a valid question: Given the recent lack of security in Tokopedia’s infrastructure and an ongoing investigation related to the incident, can it build a safe, reliable fintech product without risking exposure of its users’ financial assets and personal data?
Shortly after the breach was made public, Tokopedia’s CEO William Tanuwijaya said the company is cooperating with the investigation being conducted by government agencies, including the Ministry of Communication and Information Technology and the National Cyber and Crypto Agency (BSSN).The company was sued by Indonesia’s consumer association, with the first hearing held in June.
In July, three Tokopedia employees provided testimony for the case, according to local media reports.
“The purpose of the investigation is to find out who the perpetrators are and how they entered the company’s system.I think users and the public have the right to question the clarity of the investigation that has been going on for about four months because it involves their data,” Teguh Aprianto, founder of Ethical Hacker Indonesia and a cybersecurity consultant, told KrAsia .He also said that the investigation should not be taking this long since Tokopedia is cooperating with the IT ministry and BSSN.
“Look at Twitter, for example.
The FBI arrested the hackers behind Twitter’s security breach within a month.I believe Tokopedia has the same abilities [to identify the parties involved in the breach], especially since it is assisted by large institutions,” Aprianto added.
The white-hat hacker pointed out that Dhanapala’s status as an affiliate of Tokopedia may mean it carries the same data security issues.
“Many people are still not aware of the dangers of data violation.Indonesia saw many data breach cases this year, and we’re starting to see new unsettling phenomena in society.For instance, there have been some reports lately about people receiving packages they did not order from unknown senders.I think this is a result of the rampant data leak cases that have happened recently.Imagine if a stranger knows where you live, where you work, and how much money you make.This can lead to more serious fraud and problems later on,” Aprianto said.
“What the public knows from this case, for now, is that Tokopedia’s system has been compromised and therefore is not safe.There is no guarantee that its fintech platform wouldn’t experience the same thing.
That is why I think Tokopedia should publish the results or updates of its investigation to regain the public’s trust, especially since the data on fintech platforms is crucial – and it can be fatal if the data is leaked to irresponsible parties.”
Tokopedia did not respond to KrAsia ’s request for comments regarding the investigation into its data security.
Dhanapala’s P2P lending service is licensed by Indonesia’s Financial Services Authority or Otoritas Jasa Keuangan (OJK).It acquired the permit in August 2019, according to Dhanapala’s official website, nine months before Whysodank posted the personal information of Tokopedia’s users online.
“Dhanapala … provides micro, small, and medium enterprises (MSMEs) with access to financial services, especially working capital, to develop their businesses and increase financial inclusion in Indonesia,” said Nuraini Razak, vice president of corporate communications at Tokopedia and a commissioner at Dhanapala, in a written statement received by KrAsia .
However, she did not elaborate further on the relationship between Dhanapala and Tokopedia, or explain why Dhanapala is a standalone app.
Gray areas in fintech data protection In early August, the personal records of around 890,000 users on the fintech platform Kredit Plus were reportedly stolen and sold on the dark web.The information included users’ names, current home addresses, employment data, and family registries.Kredit Plus is one of the earliest entrants in Indonesia’s fintech sector.
It provides multifinance loans and, like Dhanapala, is licensed by OJK.
Data hacks are a scourge for any tech company, and the threat isn’t going away any time soon.
In Indonesia, cybersecurity regulation is fairly weak and has not kept pace with what hackers can do, according to Pratama Persada, a cybersecurity analyst at the Communication and Information System Security Research Center (CISSReC) in Jakarta.OJK’s regulations cover business activities but do not oversee the technical details of user data protection.
This means some fintech firms are not dedicating sufficient resources to their security infrastructure.“For instance, from the recent data leak cases, we see that companies encrypted only users’ passwords, while other personal data protection is not optimized,” Persada said.
Both Persada and Aprianto agreed that Indonesia should follow Europe’s General Data Protection Regulation, which implements severe punishments to companies for lax user privacy protection.“We urge the government to pass the data protection law immediately, so there will be a sense of obligation for companies to step up their security systems.In Europe, companies that fail to protect customers’ data can be sued and fined up to 20 million euros, so they are very cautious in managing users’ data,” said Persada.
This report was first published on KrAsia ..
