Cybersecurity breaches on major securities firms raise alarm

Two major Indonesian securities firms, NH Korindo Sekuritas and Trimegah Sekuritas, fell victim to cyberattacks in May. NH Korindo managed to fend off the attack before any funds were withdrawn, limiting the damage to operational disruptions. Trimegah, however, wasn’t as fortunate. Losing an estimate of Rp 200 billion (US$12.3 million) from the breach.

The proximity of these two cybersecurity breaches, taking place so close together in time, raised alarms across the industry. In response, the Indonesian Securities Companies Association (APEI), in collaboration with the Indonesia Stock Exchange (IDX), sent formal letters to securities companies operating in Indonesia. These letters strongly urged the companies to immediately enhance and upgrade their cybersecurity systems to better guard against future cyberattacks of a similar nature.

Trimegah’s breach occurred on May 31, during the extended market holiday for Ascension Day that began on May 29. The timing proved critical as Trimegah’s response was delayed, giving the hackers a head start. Sources say the attackers gained access through the app’s application programming interface (API), which they manipulated to send fraudulent fund transfer instructions to the custodian bank. These instructions directed the bank to move money from customer fund accounts (RDN) to third-party bank accounts. Because these instructions appeared to come from legitimate customers, they were approved without suspicion.

Despite the scale of the breach, Trimegah's top brass acted quickly behind the scenes. Insiders revealed that the company’s owners personally covered the missing funds before markets reopened. By Monday morning, June 2, the shortfall had been resolved as if nothing had happened.

Initially, Trimegah appeared to want to keep the incident under wraps, likely to protect its reputation. But when APEI began sending out security advisories, questions were raised within the market, and curiosity grew around what had triggered the alerts.

NH Korindo’s attack, meanwhile, happened earlier on May 19. As in the Trimegah case, hackers breached the API of NH Korindo’s NAIK app. However, NH Korindo’s quick decision to shut down the app entirely helped contain the situation. Both the hackers and customers were locked out for about a week, until May 27, but ultimately, no company funds were lost.

The back-to-back breaches have since pushed some brokerages to tighten their security policies. Sucor Sekuritas, for instance, has updated its fund withdrawal procedures. Custodian banks are now only allowed to transfer funds from a customer’s RDN to bank accounts registered under the same customer’s name. Any request to transfer money to a third-party account is automatically rejected. While the move is meant to bolster protection, some customers have complained that the change is inconvenient.

Still, in the wake of these sophisticated cyberattacks, many view such “analog” safeguards as necessary. The breaches at both firms were believed to stem from internal vulnerabilities, meaning weaknesses in operational oversight, rather than from individual customer errors. While breaches at the user level are more common and difficult to stop due to numerous external factors, they are usually limited in scope, affecting only the individual account holder. In contrast, operational-level breaches can endanger the entire fund pool.

The APEI letters also seemed to imply the attacks were rooted in flaws within internal systems. To help firms bolster their defenses, the letters outlined eight recommended measures, including watching for phishing attempts and personal data theft, implementing multi-factor authentication, reviewing IT infrastructure, restricting system access and conducting regular employee training.

With advances in encryption technology, purely technical or brute-force hacks have become increasingly rare. Most modern cybersecurity breaches now rely on social engineering that exploits the human element. The daily habits and digital behaviors of individuals often pose a greater risk than the systems themselves. Today’s more advanced hackers may profile high-level staff through their social media presence, then cross-reference this information with databases of previously leaked credentials from past breaches. These aggregated data sets, which are often bought and sold on the dark web, help hackers identify reused passwords or security patterns, giving them potential entry points into secure systems.