Allegations of personal data leakage have resurfaced following the circulation of social media posts displaying sensitive student data from several higher education institutions, allegedly being traded on the dark web.
A Cybersecurity Systems Expert at IPB University, Dr Heru Sukoco, stated that the alleged data leak currently circulating in the public sphere remains preliminary information or an indication, rather than a legal conclusion establishing fault on the part of any specific party.
“This alleged leak needs to be examined carefully from multiple aspects and perspectives,” said the lecturer from the Computer Science Study Program, School of Data Science, Mathematics, and Informatics, IPB University.
In this context, he introduced two terms that are often perceived as synonymous, namely data breach and data leak.
“A data breach is an incident in which confidential and sensitive personal data falls into the hands of unauthorized parties through active, za, and intentional actions. cMeanwhile, a data leak does not occur due to a direct attack as in a data breach,” he explained.
In principle, student data constitutes personal data whose management is regulated under Law Number 27 of 2022 on Personal Data Protection (PDP Law). This regulation emphasizes the obligation of data controllers, including higher education institutions, to ensure data security and confidentiality, while also promoting preventive efforts against the risk of data leakage.
“Student data is sensitive personal data that must be protected. Its leakage has the potential to result in identity misuse, legal losses, and a decline in public trust,” he said.
According to him, the level of security of academic systems in higher education institutions remains uneven and is highly dependent on the internal governance of each institution. Therefore, strengthening policies, improving cybersecurity literacy, and implementing security standards such as NIST CSF 2.0 or ISO/IEC 27001 have become urgent and unavoidable needs.
In the national context, Dr Heru emphasized that the security of student data is a shared responsibility between higher education institutions and the Higher Education Database (PDDIKTI).
“If such data is leaked, not only students but all entities within it namely lecturers, study programs, and universities are at risk of identity misuse, digital fraud, as well as social and economic losses,” he stated.
He added that higher education institutions and PDDIKTI may be subject to administrative sanctions and even legal consequences if deemed negligent in fulfilling their data protection obligations.
“Many campuses still focus on academic services without being balanced by strengthening digital security, conducting system audits, and increasing cybersecurity awareness. In fact, the PDP Law has been enacted since October 17, 2022, and has been fully enforceable starting October 17, 2024,” he emphasized.
Dr Heru concluded by stressing that if the alleged student data leak is proven to have occurred, its impacts will not be merely technical, but also social, legal, and reputational. These risks include identity misuse for fraud, illegal online loans, threats to personal privacy and security, including social engineering and phishing.
“This incident also affects organizational reputation, such as declining public trust and legal risks, because institutions may be considered negligent in protecting personal data, with long-term consequences,” he said.
“Leaked data is permanent and extremely difficult to retract. Digital footprints will remain ‘immortal’ on the internet,” he concluded. (dh) (IAAS/KAL)
