Bali and Jakarta, Indonesia – Late last year, Balinese woman Nyi Le Putu Rustini received the shock of her life when she tried to withdraw cash from an ATM to complete a renovation project on her ancestral home.
Rustini, who works as a cleaner by day and a nanny by night, had accumulated 37 million Indonesian rupiah ($2,340) in an account at Bank Rakyat Indonesia, Indonesia's largest bank.
However, the ATM balance was almost zero.
When she visited her local BRI branch, the teller told her that her money was gone.
“They said hackers stole my money and I can't get it back,” Rustini told Al Jazeera.
“It's unfair because it took me a long time to earn that money and the hackers stole it in seconds. I was shocked.”
I Made Rai Dwi Ada Diatmika, a leather goods manufacturer in Bali, had a similar experience last August when she tried to make a withdrawal for the first time in years.
The hacker had depleted his savings of 72 million rupiah (approximately $4,650) in May of the previous year.
As in Rustini's case, BRI refused to accept responsibility for the losses.
“When I opened an account with BRI three years ago, I was asked to download an app to my phone. I was told it would be safe because I would receive a daily report. However, I forgot my password and never used it. I didn’t,” Diatomika told Al Jazeera.
“We put our money in banks for safety. But if hackers can break in so easily and find all our data, then BRI has a huge security problem. No doubt about it.”
Rustini and Diatomica are among a number of BRI customers whose deposits were stolen by hackers through the bank's mobile app.
Indonesia is Southeast Asia's largest economy, with the fourth largest number of internet users and the fifth largest e-commerce sector in the world, making it an attractive target for cybercriminals.
According to data released by Indonesia's National Cyber Encryption Agency, 361 million online traffic anomalies occurred in the country from January 1 to October 26 last year.
Attacks against Indonesian email accounts rose by 85% in the third quarter of 2023, despite a decline in breaches in countries such as the US and Russia, according to data collected by Netherlands-based cybersecurity firm Surfshark. increased.
Meanwhile, Indonesia ranks third from bottom among G20 countries in preventing and managing cyber threats, according to Estonia's National Cybersecurity Index.
“There is a lot of information out there showing that Indonesia is one of the world's biggest sources and targets of cybercrime,” Gatra Priyandita, an analyst at the Australian Strategic Policy Institute's Cyber Policy Center in Sydney, told Al Jazeera. “There is,” he said.
“Indonesians are more vulnerable in some ways because they have poor digital hygiene. They are becoming more aware of this issue, but when 200 million people suddenly jump online, they will always become more vulnerable. Sho.”
According to the Mandiant M-Trends 2023 study, government websites are the top targets for cyber hackers in Indonesia, followed by the energy and financial sectors.
“Banks are targeted because they are where the money is,” Muharto, BRI's information officer, who, like many Indonesians, only goes by one name, said at a forum in Jakarta in June. ” he said.
“Cybercriminals are now working together as a group with integrated capabilities,” he said, adding, “Banks cannot fight cybercrime alone; they need synergy. There is a need,” he added. [their efforts] Work with governments and regulators. ”
BRI has not released data on the number of customer accounts that have been hacked and did not respond to Al Jazeera's request for comment.
But the bank cited cooperation with law enforcement and investments in cutting-edge cybersecurity software sold by companies such as US-based Elastic Security, calling it a “pillar” of its mission to “take measures to combat cybercrime.” “We are taking lessons,” he claims.
“Its capabilities and capabilities based on our data make it a perfect fit for our operational needs,” BRI Head of Security Operations Tori Danalt reportedly said in a news release last year. .
In February last year, BRI permanently shut down the website version of its e-banking services and changed all online transactions to its new mobile banking app BRImo, saying the app was “more secure” and “more accessible for customers.” insisted.
BRI also claims it strives to educate customers about the dangers of installing mysterious apps and opening suspicious links and emails.
In July, a BRI customer in Malang, East Java, reported that 1.4 billion rupiah ($90,330) had been stolen from her account, but the bank said she received a fake wedding invitation sent on WhatsApp. Turns out I had clicked on it and enabled it.
“This incident occurred because the victim leaked personal and confidential banking data to an irresponsible person,” BRI Malang branch manager Stoyo Ahmad Fajar said in a statement at the time. Although he sympathizes with the victims, he added that the only thing he can do is pay compensation. When there is a mistake.
“Customers are responsible for 90% of cyber-attacks on bank accounts due to customer negligence and fraud techniques becoming increasingly sophisticated,” said Ardi Steja Kartawijaya, chairman of the Indonesia Cyber Security Forum in Jakarta. said.
However, if victims can prove that they did not authorize the breach, they can recover lost funds under the Indonesian government's deposit guarantee scheme.
“First, the victim must file a police report, which must then investigate in accordance with the Privacy Act 2022. However, this process requires complex forensic digital investigation skills; Please note that it will take a considerable amount of time,” Kartawijaya told Al Jazeera. .
ASPI's Priyandita said Indonesian authorities' ability to investigate such crimes is limited due to the limited number of digital forensics experts.
“The budget of the National Cyber Cryptography Agency has been cut from 2 trillion.” [rupiahs] 100 billion people in 2019 [rupiahs] During the pandemic – a time when they probably needed more funding.The budget is currently 600 billion [rupiahs]But it’s still not enough,” he said.
Diatomika, a cybercrime victim in Bali, experienced the problem of lack of resources firsthand.
“I gave the police all the details, including the name and account number of the person in Java who stole my money. But they told me that they did not have the budget to travel to Java to investigate, and that if I wanted my money back. “I said I had to fight the bank. But for that I needed a lawyer. I had no choice but to give up because I didn't have any more money.”
Like Diatomica, Rustini, who claims she has not downloaded any suspicious apps or clicked on any suspicious links, initially had no intention of fighting BRI because she thought the cost of hiring a lawyer was unaffordable. Ta.
But when Balinese law firm Malekat Hukum offered to represent her pro bono, she filed a complaint with the police.
In addition to filing a lawsuit against BRI, Malekat Hukum also filed a lawsuit with an Indonesian alternative dispute resolution agency, seeking to resolve the issue through mediation.
BRI has so far not responded to requests for mediation.
Malekat Hukum's partner Ní Lu Aryeh Ratna Sukasari said Rustini's loss was the tip of the iceberg at BRI.
“BRI Bank is famous for cyber-attacks. I have heard of many cases where customers lost everything and we need to do something about it,” she told Al Jazeera.
“They should be serving their customers and protecting their customers' money. Their argument that they are not responsible simply does not hold true. It is they, not the customers, who need better security. And if we can’t offer secure online banking, we shouldn’t offer it.”
Diatomica said she knows of other BRI customers who have fallen victim to similar scams.
“There was a man who lived only 3 minutes from my house. He had a stroke and died after paying Rp 1 billion. [$64,500] It was stolen from his account. His family had to sell their house,” he said.
Cybersecurity expert Kartawijaya said this phenomenon is not unique to BRI.
“Almost all financial service providers in Indonesia are exposed to continuous cyber-attacks. However, most companies do not report such events for reputation management reasons,” he said.
Priyandita said she was concerned that cybersecurity in the country would get worse before it gets better.
“Indonesia is looking to digital technology as a key driver of growth, but cybersecurity is not the priority it should be,” he said.
“Efforts are being made to address this issue, but again, resources are limited.”