Imagine one morning your IT team discovers that thousands of customer records are already circulating on dark web forums. There was no prior warning and no obvious signs that anything was wrong.
This scenario is no longer fiction. IBM’s Cost of a Data Breach Report 2024 found that the global average cost of a data breach reached USD 4.88 million per incident, the highest figure in the report’s history.
In Indonesia, the threat has already proven to be real. Throughout 2023 and 2024, several major incidents affected government agencies and private organizations. In March 2023, data belonging to 18.5 million BPJS Ketenagakerjaan users was reportedly sold on the BreachForums dark web marketplace for approximately IDR 153 million.
Four months later, a hacker known as “RRR” claimed to have accessed 337 million population records from the Dukcapil system of the Ministry of Home Affairs. In 2024, data belonging to the Indonesian National Police’s Inafis system, the Indonesian Armed Forces Strategic Intelligence Agency, and the Ministry of Transportation were also reportedly exposed on the same platform.
Responding to a data breach quickly and in a structured manner is often the difference between a company that recovers successfully and one that becomes trapped in a prolonged crisis.
What Is a Data Breach?
A data breach occurs when information that should remain confidential falls into the hands of unauthorized parties. Causes may include cyberattacks, internal negligence, or unresolved system vulnerabilities.
There are two terms that are often used interchangeably: data breach and data leak. However, they are not the same. A data breach generally refers to an active attack from an external actor, such as a hacker successfully infiltrating a system to steal information.
A data leak, on the other hand, more commonly originates from within an organization: a file sent to the wrong recipient, a database stored on a public server without password protection, or a former employee who still retains system access after leaving the company. The legal consequences can be equally severe, but the root causes and prevention methods differ.
The most commonly exposed types of information include full names, addresses, identification numbers, financial data, and login credentials. Each carries different legal and reputational consequences depending on the scale and sensitivity of the information involved.
The Impact of a Data Breach on Companies
A data breach is not merely a technical issue that an IT team can resolve overnight. Its impact affects nearly every aspect of a business, from finances to customer trust.
Below are four of the most common areas affected after a data breach occurs.
Direct Financial Losses
The costs that arise after a data breach can come from multiple directions at once. These include forensic investigations, system recovery, customer notifications, and potential regulatory fines under Indonesia’s Personal Data Protection Law (UU PDP).
The potential penalties can be significant. Article 57 of the PDP Law establishes administrative fines of up to 2% of annual revenue. For a company generating IDR 500 billion annually, this could mean fines of up to IDR 10 billion.
For a company generating IDR 5 trillion annually, the figure could reach IDR 100 billion. In addition, Articles 67 through 73 provide criminal penalties ranging from IDR 4 billion to IDR 6 billion in fines, along with imprisonment of four to six years for intentional violations.
These costs do not include indirect losses such as declining share prices, lost business contracts, and legal expenses arising from lawsuits filed by affected parties.
Reputational Damage
Customer trust built over many years can collapse within days after news of a data breach becomes public. Customers who feel their data is not secure are likely to switch to competitors without much hesitation.
Organizations in the financial and healthcare sectors face even greater reputational risks because the information they handle is among the most sensitive.
Operational Disruption
When systems are shut down for investigation and recovery, business operations are disrupted as well. Processes that normally run automatically must be handled manually, productivity declines, and customer service suffers.
The duration of the disruption depends largely on how prepared the company is to handle incidents. Without a clear recovery plan, operations may be affected for weeks.
Legal Sanctions
Indonesia’s Law No. 27 of 2022 on Personal Data Protection grants supervisory authorities the power to impose administrative sanctions on organizations that fail to adequately protect personal information.
Sanctions may include written warnings, fines, or even temporary suspension of data processing activities.
In certain cases, intentional violations or incidents causing widespread harm may result in criminal liability for responsible parties.
Why Rapid Response Matters
Many organizations only realize the importance of rapid response after an incident has already caused significant damage. Time is one of the most expensive variables in data breach management.
Organizations that successfully detect and contain breaches within 200 days save an average of USD 1.12 million compared to those that take longer.
Every hour of delay means more exposed data, more affected customers, and a greater risk of regulatory penalties.
Indonesia’s Personal Data Protection Law requires data controllers to notify affected parties no later than 72 hours (3×24 hours) after discovering a breach.
How to Respond to a Data Breach: Step by Step
An effective response is impossible without proper preparation. The following stages should be carried out sequentially whenever a data breach occurs within your organization.
1. Identify and Confirm the Incident
The first step is confirming that an incident has actually occurred before taking further action.
The security team should answer three fundamental questions: what data was affected, when the incident began, and through which pathway the unauthorized access occurred.
For example, if monitoring systems detect unusual outbound data transfers in the middle of the night, the team should immediately collect access logs and analyze the activity patterns.
Rushing to publicly confirm an incident without sufficient evidence can worsen communication challenges and create unnecessary confusion.
2. Limit the Damage Immediately (Containment)
Once the incident has been confirmed, the first priority is stopping further exposure. Do not wait for the investigation to be completed before taking action.
From a technical standpoint, containment measures should generally be performed in the following sequence:
- Isolate affected network segments from the primary network to stop lateral movement by attackers.
- Revoke all credentials suspected of being compromised, including administrator accounts and service accounts, and replace them across connected systems.
- Enable read-only mode on exposed databases to prevent further data modification or deletion during the investigation.
- Freeze user accounts displaying suspicious behavior, especially access outside business hours or from unusual locations.
This order matters. Revoking credentials before isolating network segments may give attackers enough time to move to other systems before access is removed.
3. Notify Authorities and Affected Parties
Notification is not only an ethical responsibility but also a legal obligation with strict deadlines. Article 46 paragraph (1) of the PDP Law requires data controllers to provide written notification within 72 hours of becoming aware of a breach.
This notification must be delivered to both affected data subjects and the supervisory authority.
Under Article 58 of the PDP Law, the supervisory authority is established by the President and reports directly to the President. Until the authority is formally established, breach notifications are coordinated through the Ministry of Communication and Digital Affairs (Komdigi).
According to Article 46 paragraph (2), the notification must include at least three elements: the personal data that was exposed, when and how the incident occurred, and the mitigation and recovery measures being undertaken.
The notification sent to regulators and customers does not have to be identical, but both must contain these core elements.
Vague communication or attempts to conceal important facts will only deepen the trust crisis. From a legal perspective, late or incomplete notifications may trigger additional administrative penalties.
4. Investigate the Root Cause
Containment does not mean the problem has been resolved. A thorough investigation is required to identify the point of entry and ensure that the same vulnerability cannot be exploited again.
This process involves digital forensic analysis and comprehensive examination of system logs. In many cases, the cause is not a sophisticated external attack but rather a simple weakness such as unchanged default passwords.
For large-scale incidents or breaches with potential criminal implications, three additional steps should be considered.
First, involve certified external forensic investigators so findings can withstand legal scrutiny and remain independent.
Second, maintain a proper chain of custody for all digital evidence, including server logs, disk images, and screenshots of suspicious activities. Evidence without documented chain of custody may be rejected in court.
Third, coordinate with Indonesia’s National Cyber and Crypto Agency (BSSN) for technical assistance and with law enforcement authorities if criminal violations under the PDP Law or Electronic Information and Transactions Law are suspected.
5. Recover Systems and Data
Once the root cause has been identified and vulnerabilities have been addressed, the next step is restoring systems to a secure operational state. This includes restoring data from backups, rotating credentials, and thoroughly retesting systems.
Two important activities are frequently overlooked.
First, verify backups before restoration. Infected or incomplete backups can worsen the situation instead of solving it. Validate backup integrity and test recovery in an isolated environment before deployment into production.
Second, implement post-incident monitoring after systems are restored. Closely monitor activity for at least two to four weeks. Attackers sometimes return after recovery by exploiting alternative access paths or overlooked accounts.
Do not rush systems back online. A single missed vulnerability can open the door to a second incident.
6. Evaluate and Improve Security Controls
A data breach is a signal that something requires improvement, whether in technology, processes, or human resources. A comprehensive audit should be conducted to identify existing gaps.
Organizations that take data security seriously treat security reviews as a routine operational practice rather than an emergency response activity.
Preventive Measures Before a Breach Occurs
Effective response begins long before an incident takes place. Several preventive measures should already be in place in any organization handling sensitive information.
Prevention is not a single action but a series of complementary layers of protection.
Strict Access Management
Employees should only have access to the information necessary to perform their jobs. This principle is known as least privilege.
For example, finance staff do not need access to medical records databases, and marketing teams do not need the ability to download entire customer databases containing payment information.
Encryption of Sensitive Data
Both stored and transmitted data should be encrypted. If encrypted information falls into the wrong hands, it becomes practically useless without the correct decryption key.
Common standards include AES-256 for stored data and TLS 1.2 or higher for data in transit. Encryption keys should be managed separately from the protected data.
Employee Security Training
Many breaches involve human error, whether through phishing attacks, weak passwords, or sharing information without proper verification. Ongoing security training is therefore essential.
Training should not be limited to onboarding sessions. Regular phishing simulations, policy updates, and data-handling guidance help employees remain vigilant against evolving threats.
Regular Audits and Monitoring
Systems that are not monitored are inherently vulnerable. Routine log monitoring, periodic penetration testing, and configuration reviews are proven security measures.
Audits should also include periodic reviews of user access rights. Employees who change roles or leave the company often retain unnecessary system access due to poor deprovisioning processes.
Legal Considerations for Data Breaches in Indonesia
Indonesia’s Personal Data Protection Law (Law No. 27 of 2022) serves as the primary regulatory framework. When a breach occurs, two immediate obligations arise: notifying supervisory authorities and affected individuals within 72 hours and documenting response and recovery efforts.
Regarding penalties, Article 57 establishes administrative fines of up to 2% of annual revenue. Articles 67 through 73 provide criminal sanctions ranging from IDR 4 billion to IDR 6 billion in fines and imprisonment of four to six years.
For corporations, criminal fines may be increased by up to ten times under Article 70. Organizations may also face civil lawsuits from individuals whose personal information was compromised.
The authority responsible for imposing administrative sanctions is the supervisory body established under Article 58 of the PDP Law. Until this authority is formally operational, coordination remains under the Ministry of Communication and Digital Affairs (Komdigi).
Additional regulations may also apply. Indonesia’s Electronic Information and Transactions Law governs unauthorized access to electronic systems and data theft, while financial institutions must comply with regulations issued by the Financial Services Authority (OJK). Healthcare organizations are subject to regulations concerning medical records and patient data.
Understanding which regulations apply to your organization is a critical first step. Some companies may be subject to multiple regulatory frameworks simultaneously.
Conclusion
A data breach is no longer a question of if it will happen, but when. Organizations that prepare incident response plans and maintain layered security controls are significantly better positioned to handle future incidents.
Speed and accuracy are non-negotiable. From incident identification and containment to notification, investigation, and recovery, every stage requires procedures that have been tested and refined in advance.
Adaptist PRIVEE is a personal data protection management solution designed to help organizations meet their compliance obligations under Indonesia’s Personal Data Protection Law.
If your organization is looking to strengthen its data protection strategy, Adaptist PRIVEE can be the right place to start.
Ready to Manage Privacy Compliance as a Business Risk?
See how GRC helps map personal data risks, monitor compliance with the PDP Law, and prepare companies for audits without complicated manual processes.
FAQ
Immediately identify and confirm the incident, determine the affected data, and perform containment measures to limit further damage.
Data controllers are required to notify affected parties and the supervisory authority within 72 hours (3×24 hours) after the incident is discovered.
Implement strict access controls, encrypt sensitive data, provide regular security awareness training for employees, and conduct routine system audits and monitoring.
