TEMPO.CO, Jakarta - Indonesian influencer Abil Sudarman experienced a cyberattack after creating a video criticizing a job posting by the Ministry of Communication and Digital (Komdigi) that violated the Personal Data Protection Law.
Abil told Tempo that his startup's website and social media were attacked two hours after he uploaded a video titled "penghargaan loker paling aneh 2026 kepada Komdigi" (Komdigi's Strangest Job Opening Award 2026). The video was uploaded to his Instagram reels, @abilsudarman, on January 27, 2026.
Abil said he was attacked two hours after uploading the reels video at 1:00 PM WIB (Western Indonesian Time). "The attack was a 'denial of service' attack," Abil said when contacted by Tempo on January 28, 2026.
A 'denial of service' is an attack on a website to disrupt its users. The site that was attacked was the website of a career development startup company founded by Abil, ordal.id. Abil explained that the attack involved spamming fake job openings distributed to the site's 53,000 users. The fake job spam was generated using artificial intelligence (AI).
A total of more than 16,000 fake job postings were distributed to the ordal.ir website to 53,000 users. "This is incredibly disruptive. They might end up applying to fake job postings, ghost job postings, and all sorts of things, and all in just a few hours," said Abil.
Abil said the attacker used an AI agent. This is because, Abil said, his website also uses AI security. The AI agent attack was able to bypass the AI protection measures implemented by ordal.id.
In addition to his startup website, Abil's social media accounts were also attacked. Abil detected attempts to log into his Instagram and X accounts. The attackers failed to break into Abil's Instagram account, but managed to log into his X account.
"Some of them were odd. There were logins from phones that weren't mine. There was a Xiaomi, and there was an iPhone 13 Pro Max, which aren't my phones," he said.
After his X account was compromised, Abil immediately changed his password. Abil said the attacker removed the video of his Komdigi locker on X from his followers. He realized this after his friends' Twitter accounts couldn't find the video on Abil's X profile. However, Abil could view the video from his X account.
"So I thought maybe it was so the video owner wouldn't know it had been taken down. But it wasn't on other phones," he said.
Abil said he didn't know who attacked his account and website. However, he said the attack was quite sophisticated, as it bypassed his website's security.
Furthermore, Abil doubted the attack was carried out by a prank hacker or someone intentionally exploiting security vulnerabilities for a reward. He said his website had experienced minor attacks from parties who were just messing around or proving a vulnerability in its security system.
"Usually, if it's students or pranksters, they'll stop on the first day. Or they'll tell us, hoping we'll give them a reward. Or they'll hire them as consultants," he said.
These small attacks are usually not disruptive, and hackers typically notify Abil via email after successfully breaching his security.
"But from my perspective, this is purely an act of destruction. No data was stolen, no one was held hostage. We weren't asked for anything in return. So it was purely destructive. To date, I haven't found any stolen data," Abil said.
This incident began when the Directorate General of Digital Infrastructure, Komdigi, opened a job opening for individual procurement of other services (PJLP). The opening was announced via letter number B-71/DJID.1/KP.03.01/01/2026 and signed by the Secretary of the Directorate General of Digital Infrastructure, Indra Maulana, on January 8, 2026. There were nine positions offered in the opening.
However, the problem was that applicants sent their files and personal data to a link listed in the opening. The link redirected to an open-access Google Drive, allowing anyone to view and access the applicants' files without protection.
Tempo attempted to open the link https://s.komdigi.go.id/ZZoDj on January 28, 2026, at 7:00 PM WIB. However, the Google Drive link was already protected.
This negligence was mentioned by influencer Abil Sudarman in a video reel on his Instagram account, @abilsudarman, on January 27, 2026. In his Instagram reel, Abil Sudarman awarded Komdigi the "oddest job vacancy award of 2026." In the video, Abil touched on the application process.
He stated that applicants should send personal documents such as CVs, photocopies of diplomas, ID cards, transcripts, and a health certificate to the link in the announcement letter with the Komdigi letterhead.
However, when clicking on the shortened URL in the Komdigi job posting, it redirects to a publicly accessible Google Drive.
"The problem is that all applicants' data is visible in this Google Drive. You can see all their names in all their folders. So, if you want to apply, you can access other applicants' personal data. It's obvious, everything is exposed," said Abil.
Abil also questioned Komdigi, which proposed the Personal Data Protection Law, and instead disclosed personal data.
As of this writing, Komdigi Minister Meutya Hafid and Komdigi Secretary-General Ismail had not responded to Tempo's confirmation messages regarding the job posting.
The Indonesian Digital Convergence, Innovative Synergy, or KONDISI, also criticized Komdigi's negligence in failing to protect applicants' personal data. KONDISI Director Damar Juniarto said Komdigi made a fatal error and needed to correct itself.
"It's ironic that the ministry that initiated the Personal Data Protection Law is actually a state institution that is incompetent in implementing the Personal Data Protection Law," said Damar in a written statement received by Tempo on January 28, 2026.
Damar also questioned Komdigi's commitment to protecting citizens' personal data. He said, how can the public trust national data security if job applicant data within the ministry isn't protected?
KONDISI stated that Komdigi has violated Articles 16 and 35 of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). Article 16 states that Personal Data Controllers (in this case, KOMDIGI) are required to demonstrate integrity, confidentiality, and security in data processing.
Furthermore, Article 35 emphasizes the organizer's obligation to protect data from unauthorized access. Leaving applicant data publicly available is a disregard for privacy by design and privacy by default standards.
Damar explained that the ease with which applicants could view other applicants' personal data, such as resumes, identities, work histories, and sensitive data, indicates a violation of the principles of personal data security and confidentiality, which are mandatory for data controllers.
"As a data controller, Komdigi failed to fulfill its obligation to guarantee data protection from unauthorized access. Therefore, this is not just a technical error, but a systemic failure in data governance," he said.
Damar urged Komdigi to conduct an audit and report the breach. The Personal Data Protection Law requires data subjects to be notified of personal data breaches and to clearly demonstrate mitigation steps.
Read: Minister Orders Probe Into Terror Against Government Critic
Click here to get the latest news updates from Tempo on Google News
:strip_icc():format(jpeg)/kly-media-production/medias/4548967/original/094336900_1692782124-tanaphong-toochinda-FEhFnQdLYyM-unsplash.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5327418/original/014991800_1756180726-alexandr-podvalny-TciuHvwoK0k-unsplash.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/3279101/original/098164400_1603767645-andrea-bertozzini--UkZIGs4ejo-unsplash.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/4051493/original/078187600_1655119675-pexels-andrea-piacquadio-3820120.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5379294/original/048844700_1760340561-pexels-eren-li-7169042.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5395215/original/007113100_1761665026-WhatsApp_Image_2025-10-27_at_13.37.11_2916f394.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5361900/original/014213200_1758797231-prostooleh.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5375405/original/050547600_1759921524-pexels-kelvinocta16-1973270.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5131632/original/033958900_1739420740-pexels-runffwpu-2787861.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5361908/original/053516400_1758797575-Photo_1.jpeg)
:strip_icc():format(jpeg)/kly-media-production/medias/5331910/original/072110300_1756451465-sigmund-TJxotQTUr8o-unsplash.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5355687/original/010864400_1758350038-high-angle-boy-concentrated-reading.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/5050523/original/046365500_1734147533-Screenshot_2024-12-14_at_10.32.31.jpg)
:strip_icc():format(jpeg)/kly-media-production/medias/4701786/original/013309600_1703841814-jonathan-borba-Z1Oyw2snqn8-unsplash.jpg)