Indonesian influencer Abil Sudarman was targeted in a cyberattack following his criticism of a job posting by the Ministry of Communication and Digital (Komdigi). The posting, for individual procurement of other services (PJLP), was flagged for potential violations of the Personal Data Protection Law.
Data Security Concerns at Komdigi
The controversy began when Komdigi announced nine job openings on January 8, 2026, requiring applicants to submit sensitive personal documents – including CVs, ID cards, and transcripts – to a link provided in the announcement. That link redirected to an open-access Google Drive, exposing applicants’ data to public view.
Abil Sudarman highlighted the vulnerability in a video posted to his Instagram account, @abilsudarman, on January 27, 2026, awarding Komdigi what he termed the “oddest job vacancy award of 2026.” Two hours after posting the video at 1:00 PM WIB (Western Indonesian Time), Sudarman’s startup, ordal.id, and his social media accounts were subjected to a “denial of service” attack.
Sophisticated Cyberattack
The attack on ordal.id involved the spamming of over 16,000 fake job postings to the platform’s 53,000 users, generated using artificial intelligence (AI). Abil noted the attack was sophisticated, bypassing the AI security measures implemented on his website. Attempts were also made to log into his Instagram and X (formerly Twitter) accounts. While Instagram access was prevented, attackers successfully logged into his X account and removed his video criticizing Komdigi.
Abil stated that the attack appeared to be purely destructive, with no data stolen or ransom demands made. He expressed doubt that the attack was carried out by amateur hackers, citing his experience with previous, less disruptive security breaches where attackers typically sought recognition or reward.
Criticism and Potential Consequences
The Indonesian Digital Convergence, Innovative Synergy, or KONDISI, also criticized Komdigi’s handling of applicant data. KONDISI Director Damar Juniarto stated the situation was “ironic,” given Komdigi’s role in proposing the Personal Data Protection Law. KONDISI asserts that Komdigi violated Articles 16 and 35 of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law) by failing to protect applicant data from unauthorized access.
As of January 28, 2026, Komdigi Minister Meutya Hafid and Secretary-General Ismail had not responded to requests for comment regarding the job posting and the security concerns raised.
Frequently Asked Questions
What type of data was potentially exposed?
Applicants were asked to submit CVs, photocopies of diplomas, ID cards, transcripts, and a health certificate to the publicly accessible Google Drive, potentially exposing a wide range of personal information.
What is a “denial of service” attack?
A “denial of service” attack is an attempt to disrupt the normal functioning of a website by overwhelming it with traffic, making it inaccessible to legitimate users. In this case, ordal.id was flooded with fake job postings.
What does KONDISI suggest Komdigi do?
KONDISI urged Komdigi to conduct an audit of the data breach and report it, as required by the Personal Data Protection Law, and to notify affected individuals.
Given the criticism and potential legal ramifications, Komdigi may be compelled to conduct a thorough internal review of its data handling procedures. It is also possible that further investigation will be launched to determine the source of the cyberattack against Abil Sudarman.
