A high-severity public sector breach impacting the Provincial Government of DKI Jakarta (jakarta.go.id) was confirmed on June 3, 2026, after monitored cybercrime channels surfaced a live sale thread offering unauthorized relational extractions from the provincial citizen CRM, official government email systems, and national NIK (Nomor Induk Kependudukan) identity records tied to Indonesia's capital megacity.
What Happened
A threat actor posted a structured sales listing on a prominent underground forum advertising raw database exports sourced from backend systems linked to the Jakarta Provincial Government. The listing includes relational schemas, nested database headers, and validation snippets to substantiate the claim, with the seller marketing the package as fresh, organized, and privately held. Transactions are being routed exclusively through privacy-centric cryptocurrencies to filter buyers and accelerate delivery. The disclosure bypasses any private extortion phase and moves directly to commercialization, indicating the actor is prioritizing rapid monetization through downstream fraud syndicates and profiling networks.
What Was Taken
The leaked dataset reportedly includes citizen CRM schemas covering civil registration, local tax filing, and social aid distribution records; official jakarta.go.id government email credentials and identities; and national NIK identity verification parameters belonging to Indonesian residents processed through the metropolitan administrative system. The combination of municipal personnel directories with sovereign identity numbers gives buyers an unredacted operational map of Jakarta's workforce demographics and a high-yield identity verification corpus usable for impersonation, SIM swap fraud, and downstream KYC bypass.
Why It Matters
Jakarta is Indonesia's economic and administrative epicenter, and Pemprov DKI manages services for millions of residents across smart-city, welfare, and revenue platforms. Exposure of the citizen CRM alongside NIK numbers and government email accounts creates compound risk: NIK is the cornerstone identifier for Indonesian banking, telecom, and government services, and government email accounts enable lateral phishing across federal agencies. This incident follows the Jabarprov (West Java) exposure earlier in 2026, indicating an industrialized targeting campaign against Indonesian provincial governments rather than isolated opportunism.
The Attack Technique
The seller has not publicly disclosed the initial access vector, but the volume and structural cleanliness of the exfiltrated records, including intact relational schemas and nested headers, are consistent with direct backend database compromise rather than scraping. Likely vectors include exposed administrative panels on regional citizen portals, exploitation of identity synchronization engines bridging municipal and national identity systems, or compromised credentials on jakarta.go.id mail infrastructure used to pivot into connected database mainframes.
What Organizations Should Do
- Indonesian agencies tied to Dukcapil and NIK validation pipelines should audit all integrations with Jakarta provincial systems and rotate any shared service credentials immediately.
- Force password resets and enable MFA across all
jakarta.go.idmail accounts, and inspect mailbox forwarding rules and OAuth grants for persistence. - Hunt for anomalous database export activity, large SELECT operations, and unusual outbound transfers against provincial CRM and citizen registry backends going back at least 90 days.
- Financial institutions and telecoms operating in Indonesia should elevate fraud scoring on NIK-based KYC checks and flag accounts opened with Jakarta-resident identifiers during the exposure window.
- Monitor underground forums and Telegram channels for re-listing, sample drops, or repackaged combolists derived from the dataset.
- Notify affected citizens through official BSSN and Kominfo channels and provide guidance on identity monitoring and phishing risk.