back to article Indonesia’s national health insurance scheme leaks at least a million citizens' records

Indonesia’s government has admitted to leaks of personal data from the agency that runs its national health insurance scheme On May 20th Kominfo, Indonesia’s Ministry of Communication and Information Technology, acknowledged it was aware of a post on notorious stolen-data-mart Raidforums offering to sell a million records …

  1. Anonymous Coward
    Anonymous Coward

    Is there any point trying to keep data secure? Let's just have everything open and be done with it..

    1. Twanky Silver badge
      Trollface

      Is there any point...?

      Did you forget where you put this? -->

    2. Anonymous Coward
      Anonymous Coward

      I'll start, my real name is Dave.

      1. Trigonoceps occipitalis

        I'm Dave Too

        and so is he.

      2. Claptrap314 Silver badge

        I thought it was Sparticus.

        Wait, that won't work. There's a guy around here who is Not Sparticus...

        Bruce, maybe?

  2. Neil Barnes Silver badge

    Every time I see a report like this

    I wonder why systems are needed that can deliver such massive amounts of data in such a short time.

    I'm not suggesting that fast access to data is generally a bad thing, but where you are dealing with things like medical records, or financial records, it seems to me that other than for data mining, the main requirement is that e.g. my doctor can get *my* record quickly. He might need *your* record in half an hour, and my neighbour's record in a couple of days. But he doesn't need a million records *now*...

    I cheerfully acknowledge that I am not an IT professional in any way, but I can't help feeling that there's something wrong in the design of a database that allows its core data to be exported in bulk - whether that is by repeated accesses to the database or by bulk copying the physical file data.

    Probably I need to think about this a little more... but I am happy to be educated. Anyone?

    1. aphiatri

      Re: Every time I see a report like this

      While the customer/doctor/patient facing side of the application often (but not always) has rate limits, they don't work so well for the system administrator side of the application. You'll want to be able to back up the database in minutes or hours rather than months and you also need access to all data and not just "your own".

      There are a lot of potential attack scenarios but most of them end with the attacker using the system administrator side of the application giving them unrestricted access to everything.

      In quite a lot of cases the attacker will also attack the operating system rather than the application and end up with full access to the file system, where they can simply copy the raw files and bypass the database entirely.

      Finally unless there are sophisticated, monitored security systems detecting irregular access patterns the attacker might have been (ab)using the system for months before being detected, giving them enough time to bypass rate limits.

      1. Twanky Silver badge

        Re: Every time I see a report like this

        These are good points but I'm sure it would be possible to address both issues with proper database design. More or less instant access to an individual patient's records and aggregate only access to large chunks of data. I'm no expert on this and I guess that if the bad guys can take an entire backup and have inside information then all bets are off.

    2. AW-S

      Re: Every time I see a report like this

      Sometimes paramedics want near-instant access to medical data in emergencies.

      Few people carry an SOS Talisman or add their emergency medical data to their phone - and even then it may not have all the required information to preserve a life.

  3. Twanky Silver badge
    Flame

    Meanwhile...

    ...elsewhere... a small island kingdom makes a terrible mistake: https://www.theregister.com/2021/05/17/nhs_data_market_access/

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile...

      Opt out confirmed on Friday.

  4. Razgrizian
    Mushroom

    Government incompetence

    Welp, the problem is Indonesian government never take any privacy safeguard seriously until they got caught in a situation like this.

    About that privacy law legislation that being discussed in Parliament? Ahahaha, it is stuck in development hell as with everything else in this country. Analogue TV shutdown will happen... next year after years of delay.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like