Brinztech Alert: The Alleged Database of Komisi Pemilihan Umum is on Sale

Dark Web News Analysis

The dark web news reports a massive data privacy incident involving the Komisi Pemilihan Umum (KPU), the General Election Commission of Indonesia. A threat actor on a hacker forum is advertising the sale of a database allegedly containing 105 million records.

The data reportedly originates from a breach that occurred in 2022, yet it is being sold now for a surprisingly low price of $1,000, payable in Bitcoin (BTC) or Monero (XMR). The threat actor is willing to use an escrow service, adding a layer of credibility to the sale. The compromised fields are extensive and highly sensitive: National ID Card Numbers (NIK), Family Card Numbers (KK), Full Names, Physical Addresses, Dates of Birth, and Gender.

Key Cybersecurity Insights

Breaches of national election registries are “Tier 1” critical infrastructure threats because they compromise the legal identity of nearly half the population:

• The “NIK + KK” Threat: In Indonesia, the combination of NIK (KTP) and KK (Kartu Keluarga) is the “Golden Key” to identity. Unlike in other regions where a photo ID is required, many digital services in Indonesia—including banking, SIM card registration, and especially “Pinjol” (Online Lending) apps—can be activated using just these two numbers.
• Illegal Loan (Pinjol) Fraud: The most immediate risk for Indonesian citizens is having their identity used to take out high-interest loans from illegal peer-to-peer lending platforms. Victims often only find out when debt collectors start harassing them for loans they never applied for.
• Election Integrity Concerns: While the KPU has stated this data might be from 2022, the leak of 105 million voter records erodes public trust in the electoral process. It provides ammunition for disinformation campaigns claiming that “ghost voters” or manipulated rolls are being used to rig elections.
• Low Price Anomaly: The $1,000 price tag for 105 million records is unusually low. This often indicates that the data may be “recycled” (aggregated from previous breaches like BPJS or Tokopedia) or that the actor is looking for a quick, low-risk sale rather than a high-value ransom.

Mitigation Strategies

To protect citizen identity and financial stability, the following strategies are recommended:

• “Cek DPT Online”: Citizens should use the official Cek DPT Online (KPU’s voter list checker) to verify their data status, though this won’t fix the leak, it helps confirm if their data corresponds to the breached set.
• SLIK OJK Monitoring: Indonesians should regularly check their SLIK OJK (formerly BI Checking) report. This is the only way to see if unauthorized loans or credit applications have been made in their name using the leaked NIK/KK.
• Public Awareness Campaign: The government must launch a nationwide campaign warning citizens about Phishing calls claiming to be from banks or the KPU. Attackers will use the real data (Name, Address, NIK) to convince victims they are legitimate officials.
• Biometric Verification: Financial institutions and “Pinjol” apps must be mandated to enforce Facial Recognition (Liveness Detection) for all loan applications to render the stolen static NIK/KK data useless for fraud.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com