This is why you need backups: A cyber attack on an Indonesian data center caused havoc for public services – and its forcing a national rethink on data security

Flag of Indonesia flying in the wind against a backdrop of a blue sky with light clouds.
(Image credit: Getty Images)

The Indonesian government has announced it will commence an audit of its national data centers after officials revealed that data compromised in a recent cyber attack was not backed up. 

The breach at the country’s national data center site saw critical public services severely damaged, most notably in the country’s immigration systems at its airports. 

President Joko Widodo stepped in to order the audit, according to reporting by Reuters, instructing the Indonesian Development and Finance Controller (BPKP) to conduct an examination of the country’s data centers. 

According to the BPKP’s head Muhammad Yusuf Ateh, the audit is set to cover “governance and the financial aspect.”

This comes on the back of revelations about the data centers' backups, with an official from Indonesia's cyber security agency confirming that 98% of the government data stored at the site had not been backed up. 

The official in question, Hinsa Siburian, has blamed a lack of governance, though Meutya Hafid, chair of the commission investigating the breach, has described the ordeal as more a case of “stupidity.”

The country’s communications minister said backup capacity existed at the data centers but that it was optional to use. The minister added that data was not backed up due to budget constraints. 

The incident once again showcases the importance of having a robust backup strategy, according to Erfan Shadabi, cyber security expert at comforte AG.

“The unfortunate exposure of personal data for which the Indonesian government is responsible for care-taking should remind every organization to rethink their data security and storage,” Shadabi said.

Organizations must ensure they are prepared for situations such as these, Shadabi said, and should place a strong focus on developing “robust recovery capabilities” and “proactive data-centric protection". 

“The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage,” he added.  


Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said the incident is another prime example of poor preparedness, adding that it wasn’t surprising to hear that such a critical site was missing any backups

“It's a fundamental oversight which speaks volumes about the cyber security culture of the organization,” he said. 

“It’s essential that governments and organizations alike adopt a more robust approach to cyber security, encompassing regular data backups, ransomware protection measures, and comprehensive incident response plans,” he added. 

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.