Another data theft re-occured in Indonesia lately and it became a hot conversation across social media platforms. One netizen with Twitter username @ridu reported that his credit card application was rejected as his credit rating appeared in the worst category (KOL 5) on SLIK, Indonesian’s centralized Financial Information Service System owned by OJK (Indonesia’s Financial Service Authority).
Here’s what @ridu said on his twitter.
“Shocked to see my credit score in SLIK from OJK is rated 5, means bad debt and all of the debts are from PT Caturnusa Sejahtera Finance, @traveloka paylater partner, whereas I don’t have any Pay Later account. There was stated that I have 3 loans on May 5, 2019”
Kaget liat SLIK dari OJK ternyata kualitas kredit gue 5 alias kredit macet dan semuanya itu dari PT Caturnusa Sejahtera Finance, mitra paylater @traveloka, padahal gue ga punya akun paylater sama sekali. Tapi di situ tercatat gue ada 3 kredit semuanya di tgl 5 Mei 2019.
— Ridu (@ridu) April 19, 2021
Below is how OJK rates consumers according to creditworthiness:
- KOL 1 – if the debtors always pay on time, no overdue payment
- KOL 2 – if the debtors have overdue payment from 1 to 90 days
- KOL 3 – if the debtors have overdue payment from 91 to 120 days
- KOL 4 – if the debtors have overdue payment from 121 to 180 days
- KOL 5 – if the debtors have overdue payment >= 180 days overdue
Apparently the cause for rejection of @ridu’s credit card application is his KOL5 credit status.
After checking his credit record through OJK’s SLIK, which unfortunately could take up to 1 month to get the documents, he is recorded as having three overdue loans ] from Traveloka PayLater, of IDR400,000, IDR1 million and IDR3 million respectively. (IDR1 million is roughly US$69)
Traveloka PayLater is Traveloka’s online credit product that enables users to pay for various products in Traveloka with installments. Currently, PayLater can be used for all products in Traveloka except for connectivity products such as prepaid card and WiFi.
All @ridu’s outstanding loans are under his name and his ID card. However, the address and job details were unmatched.
It is clearly an instance of data theft. People steal other people’s ID and apply for loans. At the same time, there’s a loose verification process on the service provider’s side.
Here’s what I found through Twitter – Blank ID cards and fake ID cards are being sold freely on social media. The original post was also mentioned that it can be used for online P2P lending registration.
In this case, we can say that there’s a problem with PayLater’s KYC process. The Traveloka side has said the company has implemented a layered KYC system to ensure the security and compatibility of data submitted by users.
Users need to submit eKTP (ID card) and a picture of them holding the ID Card to pass the KYC process. However, we can say that the “easy KYC process” has cost a lot of things to the consumer.
Moreover, Traveloka has failed to protect their customer’s data.
It is an irony. The PayLater model was designed to make everyone have easy access to “credit” offered by financial institutions, especially to those who have no credit card. But now, this easy access leads to easy data theft too.
Data security is a crucial issue to address by these tech companies. Last year, Cermati.com, a fintech aggregator and KreditPlus, a financing company both experienced a data breach.
Data about 3 million users on Cermati.com was leaked and sold online for US$2,200 on October last year.
Three Indonesian ecommerce platforms, Bhinneka.com, Bukalapak and Tokopedia, also reportedly experienced data breaches that saw their customers’ details sold on the dark web.
We admit that many of the platforms are inexperienced in dealing with data protection, especially when they are growing fast last year, with probably lots of employees working from home.
However, as we can see Indonesian consumers, especially those living in cities, do care about their personal data. Maybe it is time for both regulators and platforms to come together to take some concrete actions, including a personal data protection bill.
It is also important for the emergent digital banks in Indonesia to take care of their customers’ data – because most of the first batches of target customers are the urban youth, who do care about privacy.