Private Data Used in Crimes
Purchased private data can be used not only in marketing banking products but also in crimes.
JAKARTA, KOMPAS — Private data that can be sold and bought freely can be used to track down the data owners’ behavior on social media. Not only can the data owners fall prey to product marketing, they are also vulnerable to crime.
A Kompas investigation over the past week revealed that credit card owners whose private data were illicitly sold online confirmed that the data were valid. In general, these are credit card customers with a credit limit of over Rp 50 million (US$3,475).
Ayu, 48, who works as a manager at a company located in Central Jakarta, had her private data sold online with that of numerous other individuals in shops on e-commerce platforms Tokopedia and Bukalapak. She said she had given the personal information to a private bank when she applied for a credit card in 2002. “I receive calls and text messages offering various products almost every day,” she said.
Of these various offers, she said she was most worried by an offer via text message for an airsoft gun. Ayu said she suspected the sender knew about her airsoft gun activities. “I had no idea why the sender offered me an airsoft gun. How could they know about my hobby?” Ayu said, perplexed.
DS, a by-phone insurance product marketing agent, said private data was required in certain product sales. Background information on people is valuable in determining priority targets in marketing.
Private data of new credit card owners are considered “good” if the owners are open and cooperative in receiving insurance product offers. “Usually, banks only give us seven or eight good data per day. Bad data can number in the hundreds or even thousands,” he said.
DS said that potential “bad” customers were those who had had credit cards for more than three years. These people have received so many banking product offers, including fraudulent ones, that most of the time they reject new offers.
Fraud
Indonesian Credit Card Association (AKKI) executive director Steve Martha said rampant fraud involving requests for one-time passwords (OTP) or credit card verification codes were linked to the illicit sale of private data. With the personal information in their hands, criminals can convince victims that they are bank officers.
“Criminals will try to steal OTPs by defrauding bank clients. They pose as bank officers and cite the card number [found among the brokered private data]. The victims believe them and are convinced that the caller is actually from the bank,” Steve explained.
Jakarta Police spokesperson Sr. Comr. Argo Yuwono said the police used public reports to investigate cases of private data brokerage. Such investigations will only be possible with the public actively reporting such cases to the police.
Argo said 17 reports related to illicit use of private data had been lodged in 2018, 14 of which had been resolved. “If anyone suspects that their private data is being used illicitly and that they have been harmed by it, please file a report,” he said.
Identity theft
Information technology expert Onno W. Purbo said owners of brokered private data were sitting ducks for criminals. Armed with people’s full names and cell phone numbers, criminals can trace and identify the social media profiles of their victims. “They can look up names on Twitter or Facebook to find their profiles. The criminals will then be able to obtain secondary data on the internet,” he said.
Information from secondary sources can be used to help determine the types of products a victim would be interested in, including the type of crime they would be most vulnerable to. “It can be used for anything, for ads and for crime,” Onno said.
Indonesia Cyber Security Forum chair Ardi Sutedja said that without serious efforts to fight it, identity theft would be among the worst results of private data brokerage. Criminals can create new identities while using others’ private data. “They can then apply for bank loans while using our data. We will only find out that our data has been used illicitly once the bank attempts to collect the outstanding loan installments,” Ardi said.
Harmful to banks
So far, banks remain convinced that their systems protect customers’ private data. State lender PT Bank Rakyat Indonesia (BRI) director of network and services Osbal Saragi said he was not convinced that a lot of data was involved in private data brokerage. He said such practices harmed not only clients but also banks.
“Customer distrust would harm banks. This would result in reputation risks for banks,” Osbal said.
Citibank NA Indonesia chief executive officer Batara Sianturi said the illicit sale of customers’ private data, if true, would be input for regulators, including Bank Indonesia and the Financial Services Authority (OJK). “We must provide input to regulators so that banks can cooperate better with one another [to resolve private data brokerage,” he said.
The OJK prohibits the distribution of clients’ data without the explicit agreement of the data owner. OJK spokesperson Sekar Putih Djarot said customers could file a report with OJK via email at konsumen@ojk.go.id or through OJK Contact Center 157. The OJK will use the reports in its investigation into the banks. (MDN/ADY/NIA)