Indonesian telecommunications giant Smartfren is allegedly the latest victim of a significant data breach, with threat actors claiming to be selling access to an internal SIM registration panel. Smartfren, a major player in the Indonesian telecom market, provides a wide range of services including mobile and data services. The compromised panel is reportedly a centralized platform crucial for customer registration, managing transactions, and overseeing field operations, highlighting the potential severity of this incident.
The origin of the alleged breach appears to be unauthorized access to a core system, with the perpetrators offering proof through images of the panel and data samples. This internal system is vital for services such as prepaid SIM registration for both Indonesian citizens (WNI) and foreign nationals (WNA), IMEI and voucher checks, and mobile top-ups. The sheer volume of data handled by this platform is concerning, with claims of over 920,000 transactions processed in just a 10-day period, and an estimated 220+ million transactions potentially recorded over five years.
The data allegedly exposed through this access is extensive, encompassing a wide array of sensitive customer and operational information. The referenced data structure includes, but is not limited to, the following categories:
- CHANNEL ID, CHANNEL NAME
- NASIONAL, GREATER REGION, REGION, CLUSTER, SUB CLUSTER, TERRITORY ID
- PROVINCE, CITY, DISTRICT, SUB DISTRICT
- PARENT ORGANIZATION ID, PARENT ORGANIZATION NAME, ORGANIZATION ID, ORGANIZATION CODE, ORGANIZATION NAME
- ORGANIZATION TYPE, ORGANIZATION CATEGORY, FULL NAME, ORGANIZATION CLASSIFICATION
- OUTLET NUMBER, OWNER NAME
- ID TYPE, ID VALUE, COMMUNITY ID TYPE, COMMUNITY ID VALUE
- PROGRAM
- CONTACT BIRTH PLACE, DATE OF BIRTH, RELIGION
- CONTACT NUMBER, OUTLET NUMBER, MDN STS
- STREET ADDRESS, ADDITIONAL ADDRESS
- ORGANIZATION LONGITUDE, ORGANIZATION LATITUDE, ZIP CODE
- ELOAD NUMBER, ELOAD USERNAME, EMAIL
- NIK (National Identity Number)
- BANK NAME, ACCOUNT NUMBER, BANK ACCOUNT NAME
- CUSTOMER GROUP
- APPROVAL DATETIME, APPROVAL USER ID, APPROVAL USERNAME
- NAME DESIGNATION, CONTACT JOB POSITION
- BUSINESS TYPE, BUSINESS FOCUS, BUSINESS SIZE
- TMS GUID
- SELLING TYPE
- CONTACT KK NUMBER (Family Card Number), CONTACT NPWP NAME (Taxpayer Identification Number Name)
- IMAGE PATH
- BTS ID
- TYPE OF PAYMENT
- CREATED BY, CREATED ON, UPDATED BY, UPDATED DATE
- STATUS
This detailed information could potentially be used for various malicious activities, including identity theft, financial fraud, and targeted social engineering attacks. The fields listed indicate a deep level of access, supporting internal mapping, outlet-level validation, identity verification, financial linkage, and operational traceability.
