Jakarta (Reuters) – Indonesia’s biggest Islamic lender Bank Syariah Indonesia (BSI) (BRIS.JK) on Tuesday said it was working with regulators to bulletproof its cybersecurity after media reports that account details of 15 million customers were published online.
The data breach, which one cybersecurity expert said was the country’s worst at a financial institution, is the latest in a series of leaks at Indonesian companies and government agencies in the past few years.
One of the top 10 lenders in Indonesia, BSI in a statement did not confirm that its data had been leaked, but said it was “conducting recovery, audit and mitigation efforts so that similar disruptions do not occur”.
“We hope customers can remain calm because we can assure that their data and funds remain safe, and transactions are safe,” the bank said.
Indonesia’s Financial Services Authority said on Tuesday that it cannot conclusively determine whether it was a data leak, additing that it was conducting a forensic examination.
The lender’s financial services were disrupted on May 8, the bank added, including ATM withdrawals and online banking, due to “interference” in its system, but that the problem had been resolved by May 9.
According to cybersecurity expert Teguh Aprianto and a Singapore-based tech security firm DarkTracer, hacker group LockBit 3.0 claimed responsibility for the attack.
LockBit, which has targeted French defence and technology group Thales in the past, said it had accessed BSI data on May 8 and published it online on Tuesday.
Reuters could not independently verify the group’s claim.
Indonesian newspaper Tempo said it had verified some of the leaked with BSI customers.
“This is the worst attack on a bank,” said Teguh , a cybersecurity consultant whose past clients including a local bank and several financial tech firms, adding that leaked details included bank account holders, numbers, balances, and transaction histories.