Skip to Content

Customers at Indonesia’s Largest Bank Lose Life Savings Instantly

Bali and Jakarta, Indonesia – In a startling turn of events late last year, Nih Lu Putu Rustini, a Balinese woman, was left astounded when she attempted to withdraw money from an ATM to fund a renovation project at her family’s ancestral home.

Juggling two jobs as a cleaner during the day and a nanny at night, Rustini had diligently saved 37 million Indonesian rupiahs ($2,340) in an account at Bank Rakyat Indonesia, the largest bank in Indonesia.

However, to her dismay, the ATM displayed an almost negligible balance.

Upon visiting her local BRI branch, she was devastated to learn that her hard-earned money had vanished due to a hacker’s intrusion.

Expressing her frustration, Rustini recounted, “They informed me that a hacker had siphoned off my funds and that recovery was not feasible. It’s unjust because accumulating that sum took considerable effort, yet it was snatched away in an instant. I was utterly shocked.”

Similarly, I Made Rai Dwi Ada Diatmika, a manufacturer of leather goods in Bali, faced a similar predicament last August when he attempted to make his first withdrawal in years and discovered that a hacker had emptied his savings of 72 million rupiahs ($4,650) the previous May.

In a parallel narrative to Rustini’s experience, BRI disavowed any liability for the loss.

Recalling the events, Diatmika shared, “When I initiated the account at BRI three years ago, they recommended installing their app on my phone for enhanced security and daily updates. Regrettably, I never utilized it as I had forgotten the password.”

He added, “We entrust our funds to banks for safekeeping. However, if hackers can effortlessly breach the system and access all our information, it signifies a significant security flaw at BRI.”

Nih Lu Putu Rustini recounts the loss of approximately 37 million Indonesian rupiahs ($2,340) from her account [Al Jazeera]

Rustini and Diatmika are just a few among the many BRI clients whose savings fell victim to hackers exploiting the bank’s mobile app.

Indonesia, as Southeast Asia’s largest economy with a substantial online user base and a thriving e-commerce sector, presents an appealing target for cybercriminals.

Statistics from Indonesia’s National Cyber and Encryption Agency reveal 361 million online traffic anomalies between January 1 and October 26 last year.

Notably, email account breaches in Indonesia surged by 85 percent in the third quarter of 2023, contrasting with declines in countries like the US and Russia, as per data from cybersecurity firm Surfshark based in the Netherlands.

Despite these alarming trends, Indonesia ranks poorly among G20 nations in cyber threat prevention and management, according to Estonia’s National Cyber Security Index.

Gatra Priyandita, an analyst at the Australian Strategic Policy Institute’s Cyber Policy Centre in Sydney, remarked, “There is a wealth of evidence suggesting that Indonesia is a prime hub for cybercrime activities.”

He added, “Indonesians are particularly susceptible due to lax digital practices. While awareness is growing, the rapid digital adoption among 200 million users increases their vulnerability.”

Cyberattacks primarily target government websites in Indonesia, followed by the energy and financial sectors, as indicated by the Mandiant M-Trends 2023 survey.

Muharto, BRI’s head of information, emphasized at a Jakarta forum in June that banks are prime targets due to the concentration of financial assets. He highlighted the evolving landscape of cybercrime, with criminals forming collaborative groups to amplify their capabilities.

Muharto stressed the necessity for banks to collaborate with governmental bodies and regulators to combat cyber threats effectively.

While BRI refrains from disclosing the extent of hacked customer accounts publicly and did not respond to Al Jazeera’s inquiries, it asserts its commitment to combating cybercrime as a core tenet of its mission. The bank cites collaborations with law enforcement and investments in advanced cybersecurity solutions from companies like Elastic Security in the US.

Tri Danarto, BRI’s security operation department head, underscored the efficacy of cutting-edge cybersecurity software in fortifying the bank’s defenses, stating that the integration of such tools with their data enhances operational security.

In a strategic move in February last year, BRI permanently shuttered the website version of its e-banking services, redirecting all online transactions to its new mobile banking app BRImo, promoting it as a safer and more user-friendly alternative.

Moreover, BRI advocates for customer education on the risks associated with installing unknown apps and clicking on suspicious links and emails.

bro

BRI asserts that reimbursement for customers impacted by cyber scams is contingent on the bank’s culpability [Dita Alangkara/AP Photo]

In a notable incident in July, a BRI customer in Malang, East Java, reported a staggering theft of 1.4 billion rupiahs ($90,330) from her account. Investigations revealed that the customer inadvertently facilitated the breach by engaging with a fraudulent wedding invitation received via WhatsApp.

While expressing sympathy for the victim, BRI Malang branch manager Sutoyo Akhmad Fajar clarified that compensation is only feasible if the bank is found responsible.

Ardi Sutedja Kartawidjaya, chairperson of the Indonesian Cyber Security Forum in Jakarta, highlighted that in 90 percent of bank account cyberattacks, customer negligence or involvement in sophisticated fraud schemes is often the root cause.

However, under the Indonesian government’s deposit guarantee scheme, funds can be reinstated if the victim can substantiate their innocence in enabling the breach.

Kartawidjaya elaborated, “The victim must initiate a police report, prompting an investigation aligned with the Personal Data Protection Law of 2022. Notably, this process demands advanced digital forensic expertise and is time-intensive.”

Priyandita from ASPI raised concerns over Indonesia’s limited capacity to investigate cybercrimes due to a shortage of digital forensics specialists.

He remarked, “The National Cyber and Encryption Agency witnessed a drastic budget reduction from 2 trillion rupiahs in 2019 to 100 billion rupiahs during the pandemic, a period necessitating heightened funding. Although the budget now stands at 600 billion rupiahs, it remains insufficient.”

In Bali, Diatmika, a victim of cybercrime, faced the bureaucratic hurdle of resource constraints firsthand.

Despite providing detailed information, including the perpetrator’s name and account number, to the police, Diatmika was informed that due to budget constraints, an investigation in Java to recover the stolen funds was unfeasible. Left without financial means to pursue legal recourse, he reluctantly abandoned the pursuit.

Similarly, Rustini, adamant about her innocence in engaging with suspicious apps or links, initially hesitated to challenge BRI, citing legal expenses as a barrier. However, with the pro-bono representation offered by Balinese law firm Malekat Hukum, she opted to file a complaint with the authorities.

Malekat Hukum has not only initiated legal action against BRI but has also sought resolution through Indonesia’s Alternative Dispute Resolution Institution via mediation.

Despite repeated attempts, BRI has yet to engage in the mediation process.

ni luh

Ni Luh Arie Ratna Sukasari asserts that reported BRI account scams represent only a fraction of the larger issue [Al Jazeera]

Ni Luh Arie Ratna Sukasari, a partner at Malekat Hukum, emphasized that Rustini’s ordeal merely scratches the surface of the pervasive cyberattacks at BRI.

She criticized BRI’s track record, stating, “BRI Bank has gained notoriety for cyber breaches. Numerous cases have surfaced where clients have lost everything, necessitating immediate action.”

Sukasari added, “Banks have a duty to safeguard and serve their clients’ financial interests. Their refusal to accept responsibility is untenable. Rather than burdening customers with security measures, BRI should fortify its own defenses. If secure online banking cannot be assured, it should not be offered at all.”

Diatmika recounted instances of acquaintances falling prey to similar scams at BRI, underscoring the widespread nature of the issue.

He shared a poignant anecdote, “A neighbor living just minutes away had a fatal stroke after losing 1 billion rupiahs [$64,500] from his account. His family was compelled to sell their home.”

Cybersecurity expert Kartawidjaya highlighted that BRI is not an isolated case, with most financial service providers in Indonesia grappling with persistent cyber threats, albeit discreetly to uphold their reputation.

Priyandita expressed apprehension about the trajectory of cybersecurity in Indonesia, cautioning that the situation may deteriorate before substantial improvements materialize.

He concluded, “Indonesia is banking on digital innovation for growth, yet cybersecurity remains inadequately prioritized. While efforts are underway to address the issue, they are hampered by resource constraints.”