Alleged leak of 58 million student records sparks digital trust crisis in Indonesia’s education sector
Indonesia is investigating claims that up to 58 million student records have surfaced on the Dark Web. While officials deny any breach of central servers, concerns grow over third-party vulnerabilities and data protection compliance.
- Claims that up to 58 million Indonesian student records were exposed online have sparked widespread alarm.
- Authorities deny any breach of central education servers but investigations remain ongoing.
- Experts warn vulnerabilities may lie within third-party education technology providers rather than government databases.
Indonesia’s education sector is facing mounting scrutiny after claims that data linked to as many as 58 million students appeared on a Dark Web marketplace.
The allegations, widely discussed on Indonesian social media, have raised concerns over data protection in the country’s increasingly digital school system.
If confirmed, the case could rank among the largest known exposures of student data tied to Indonesia’s public sector.
Authorities have denied that government servers were breached, but the controversy has sharpened public debate over how sensitive personal information is collected, managed and secured.
Government Denial Meets Public Anxiety
Public alarm intensified after online accounts alleged that an anonymous hacker, identified only as “SN1F”, was offering access to Indonesian student data through underground forums.
According to posts circulating on social media platform X, the seller claimed to possess not only historical data but also a mechanism enabling ongoing extraction from official databases.
In response, government officials moved quickly to calm public fears. Coordinating Minister for Human Development and Culture Pratikno stated on 10 February 2026 that investigations conducted so far show no evidence of a breach originating from government education servers.
The Ministry’s Data and Information Centre similarly reported that its systems showed no signs of compromise, although authorities confirmed that investigations remain ongoing.
Teams from the National Cyber and Encryption Agency (BSSN), the Ministry of Communication and Digital Affairs, and education authorities are jointly examining the allegations.
Education Minister Abdul Mu’ti also dismissed claims that data from the national education database—known as Dapodik—had been leaked.
Yet the official denials have not entirely quelled concerns. For many observers, the more pressing question now is not whether central servers were hacked, but how such large volumes of student data could appear in cybercrime markets at all.
The Hidden Weakness: Education’s Data Supply Chain
Understanding the controversy requires examining how student data actually move within Indonesia’s education system. Contrary to common assumptions, student records are not stored in a single centralised repository.
Data typically flow from schools to district and municipal education offices before eventually reaching national servers. Along this journey, however, data often pass through numerous third-party platforms and private technology providers.
Indonesia’s rapid push towards digital schooling has led institutions to adopt various privately developed systems, including attendance tracking tools, learning management platforms, financial administration software, and digital student admission systems.
Many of these platforms require access to student information or rely on data exports from official systems for verification purposes.
Cybersecurity specialists refer to this exposure as a “data supply chain” vulnerability. Even if government data centres are secure, weak security practices among private vendors may provide hackers with an easier entry point.
A poorly secured server, outdated software patch, exposed database, or weak administrator credentials at just one service provider could allow attackers to obtain millions of student records without breaching official government infrastructure.
As a result, government claims that central databases remain intact may technically be accurate while still leaving open the possibility that data were compromised elsewhere within the broader ecosystem.
Why Student Data Are Valuable to Cybercriminals
At first glance, children’s data might appear to have limited financial value since students generally lack bank accounts or credit cards. Cybercriminals, however, view such data very differently.
Personal details such as names, birth dates, addresses, and National Student Identification Numbers (NISN) are ideal building blocks for what is known as synthetic identity theft.
Criminals combine legitimate personal data with fabricated information to create convincing identities that can later be used to open bank accounts, apply for loans, or register mobile services.
These schemes often operate over long periods. Fraudsters may hold stolen identities for years until victims reach adulthood, making detection more difficult.
There is also the immediate risk of targeted scams.
With access to student and parental information, fraudsters can impersonate education authorities or scholarship providers, persuading families to pay fraudulent registration or verification fees.
Such messages appear credible because scammers already possess accurate personal details.
Legal Accountability Under Indonesia’s Data Protection Law
The controversy also tests Indonesia’s relatively new legal framework governing personal data protection. Law No. 27 of 2022, known as the Personal Data Protection (PDP) Law, establishes obligations for institutions handling citizens’ personal information.
Under the law, organisations controlling personal data must implement adequate protection measures and notify affected individuals if a breach poses risks. Notifications are required within three days of confirmed incidents.
If authorities eventually confirm a breach, questions will arise over whether notification obligations were met. Failure to comply could result in administrative sanctions, including operational restrictions or licence suspensions.
Criminal penalties are also possible. Individuals found intentionally distributing personal data without authorisation may face prison sentences and significant fines.
For now, however, officials maintain that no confirmed breach has been identified.
Parliamentary Pressure for Independent Investigation
Indonesia’s House of Representatives (DPR), particularly Commission X which oversees education, has urged authorities not to dismiss the matter prematurely.
Lawmakers argue that regardless of where the leak may have occurred, public trust has already been shaken. Citizens entrusted their data to government institutions, and therefore expect accountability.
Parliamentarians are pushing for an independent forensic audit involving BSSN and other cybersecurity authorities to determine whether the alleged data are genuine and, if so, where vulnerabilities occurred.
Some legislators have also called for stricter regulation of education technology vendors, including potential blacklisting of companies found negligent in protecting user data.
A Broader Pattern of Digital Vulnerabilities
The current controversy follows earlier reports in January 2026 involving alleged exposure of university student data.
Although details remain unclear, the repeated emergence of similar incidents suggests systemic weaknesses in the country’s digital education infrastructure.
Indonesia has rapidly expanded digital systems across public services in recent years. While this transformation has improved efficiency and access, cybersecurity protections have not always kept pace.
Experts warn that digitalisation without strong data governance risks creating large, attractive targets for cybercriminals.
