Incident response
How to check if your data has leaked, and what to do next
In short
Reputable sites to check whether your personal data has leaked, what to do right after, and the 3x24 hour breach notification duty companies face under UU PDP.
Every time news of a national data leak breaks in Indonesia, millions of people search for the same thing: was my data in it? The good news is that a few reputable services can answer that question in seconds, for free, and without adding new risk.
This page explains how to check whether your data has leaked, what the exposed data types actually mean, which steps to take immediately, and the part that rarely gets covered: the legal obligations a company faces when its customer data shows up in a leak.
The 2025-2026 breach wave
Indonesia is going through one of its worst stretches of data exposure. Surfshark recorded around 944 thousand breached Indonesian accounts in the third quarter of 2025, a 351% jump on the previous quarter, putting Indonesia among the ten most breached countries in the world.
In September 2025, police arrested a 22-year-old man in Minahasa who claimed to operate under the Bjorka alias and stood accused of breaching data on 4.9 million bank customers. Police did not confirm whether he is the same Bjorka behind the major 2022 leaks. A month later, in October 2025, an account using the Bjorka name claimed to be selling 128 million SIM card registration records on the dark web, containing NIK numbers, phone numbers, operators, and registration dates in a file of roughly 8 GB. That claim remains unverified, but the pattern is clear: national-scale leaks are no longer exceptional events, they are a recurring cycle.
Which is why checking your own exposure should be routine hygiene, not a panic response to each headline.
How to check whether your data has leaked
The three services below are free, long established, and only need an email address. Enter your email and the service compares it against publicly known breach databases.
Have I Been Pwned
The largest breach database in the world, run by security researcher Troy Hunt since 2013. Covers billions of accounts across thousands of incidents, including several major breaches involving Indonesian users. Checks both email addresses and phone numbers.
Periksa Data
Built by Indonesia's cybersecurity community at periksadata.com, with a focus on breaches involving Indonesian services and platforms. It has been covered by CNN Indonesia, CNBC Indonesia, and Kompas TV.
Mozilla Monitor
Formerly Firefox Monitor. Uses Have I Been Pwned data, is free, and can watch up to 20 email addresses at once with automatic alerts whenever your email appears in a new breach.
One safety rule matters here: legitimate breach checkers only ask for an email address or phone number. Any site that asks for a password, an OTP code, a photo of your ID card, or payment to "clean up your data" is a scam, and these tend to appear precisely when breach news is trending.
Understand the limits too. No single service covers every leak. SIM registration or civil registry data, for example, often contains no email addresses, so it cannot be checked per person through these tools. A "no results" outcome means your email was not found in the databases they hold, not a guarantee that your data has never leaked anywhere.
What the leaked data types mean
Not every leak is equally dangerous. Your actual risk depends on what kind of data was exposed.
| Data type | Main risk |
|---|---|
| NIK | Cannot be replaced, ever. It is used to verify online loans, SIM registrations, and bank account openings, so a leaked NIK can be used to register services in your name. |
| Phone number | The prime target for social engineering fraud, spam, and SIM swap attempts. A phone number combined with a NIK lets scammers impersonate your bank or operator very convincingly. |
| Email address | The entry point for targeted phishing. Email is also the password-reset key for almost every other account you hold, so a compromised inbox puts those accounts at risk too. |
| Passwords | Immediately dangerous if you reuse the same password across accounts. Attackers run credential stuffing, automatically trying leaked email and password combinations against hundreds of other services. |
Immediate steps if your data has leaked
Start with your primary email account password, because email is the reset key for everything else. Change the password on every affected service, and stop using one password across multiple accounts. A password manager makes this far easier to sustain.
Turn on two-factor authentication (2FA) for email, banking, and social media. An authenticator app is safer than SMS codes, since SMS can be hijacked through a SIM swap.
The third step is the one that most often decides the outcome: watch for social engineering, known locally as soceng. Leaked data is rarely used to break into accounts directly. Far more often, a scammer calls or messages on WhatsApp quoting your full name and correct personal details to sound official, then asks for an OTP code. The OTP is the last key that only you hold. Banks and operators never ask for it, so anyone who does is a fraudster.
Finally, monitor your bank statements and check whether any online loans have been opened in your name. If you find misuse, report it to the bank or provider involved, and to the police if you suffer losses.
What companies must do when customer data leaks
Everything above is for individuals. But every leak has two sides, and on the other side sits a company whose data leaked, facing legal obligations on a very short clock.
Under UU PDP (Law 27/2022) Article 46, when a personal data protection failure occurs, the data controller must deliver written notification within 3x24 hours (72 hours) to two parties: the affected data subjects and the supervisory institution. The notification must state at minimum what personal data was exposed, when and how it was exposed, and the handling and recovery efforts being made. In certain cases, the company must also notify the public. The supervisory institution envisaged by the law had not been established as of mid-2026, with Komdigi performing the oversight function in the interim.
That 72-hour deadline is tight. In practice a company must detect the incident, establish the scope of the data involved, draft the written notification, and deliver it, all within three days. A company that starts writing its notification template during the incident is almost certain to miss it. The consequences are real: UU PDP administrative sanctions range from written warnings and temporary suspension of processing to fines of up to 2% of the annual revenue tied to the violation.
Two capabilities make the deadline achievable. The first is incident response readiness: a team, playbooks, and notification templates tested before the incident, as laid out in our guide to the first 72 hours of ransomware response. The second is dark web monitoring: watching data-trading forums and dark web channels so the company learns its data is circulating from its own monitoring, not from a journalist or an angry customer. That head start is what decides whether 72 hours is enough.
Leaked employee credentials are also a common entry point for follow-on attacks such as business email takeover, which we cover on the business email compromise protection page.
How Alpha Code helps
Our Incident Response service covers 24/7 response from our Jakarta Security Operations Center, digital forensics, and regulator notifications drafted to the UU PDP deadline. Through SOC-as-a-Service we also run continuous monitoring, including detection of company credentials and data circulating on the dark web, so incidents are caught before they become headlines.
This page is general guidance, not legal advice. Confirm your obligations against the current provisions before making compliance decisions.
Sources
- 1.Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi
- 2.Have I Been Pwned
- 3.Periksa Data
- 4.Mozilla Monitor
- 5.Surfshark, data breach statistics by quarter
- 6.The Jakarta Post, Jakarta police arrest alleged hacker using Bjorka alias (October 2025)
- 7.Metro TV News, Bjorka claims 128 million SIM records leaked (October 2025)
Reviewed by Mirna Indriasari, Security Program Manager
Frequently asked questions
The three most widely used services are Have I Been Pwned, Periksa Data (periksadata.com), and Mozilla Monitor. All three are free and only need an email address to check whether it appears in publicly known breach databases.
Related
Solutions
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.