PT Bank Syariah Indonesia Tbk (BSI) experienced a digital service disruption that began on Monday (May 8, 2023). Although services were initially claimed to be restored, some customers continued to face issues. Subsequently, the LockBit hacker group allegedly breached millions of BSI customer data, leaked the information on the dark web, and demanded a ransom of Rp 295.61 billion (approximately $20 million) for the bank to redeem the customer data.
Here is the complete chronological sequence of the crisis faced by BSI:
1. Initial Disruption and Maintenance Claim (May 8–10)
The service outage was first reported by customers on Monday (May 8) morning, paralyzing all BSI transaction channels, including BSI Mobile, ATM machines, and tellers. Initially, BSI management stated the error was caused by system maintenance and on Tuesday (May 9), claimed that services were gradually recovering, with approximately 1,200 ATMs restored. However, on Wednesday (May 10), monitoring showed that BSI Mobile was not 100% normal and continued to experience frequent errors or time outs.
2. Acknowledgment of Suspected Cyberattack (May 11)
On Thursday (May 11), BSI President Director Hery Gunardi announced that all services were fully restored. At the same time, however, he disclosed the discovery of a suspected cyberattack that caused the disruption. BSI responded by conducting an evaluation and a temporary switch off of several channels to ensure system security.
3. BSI’s Assurance and Service Impact (May 12)
On Friday (May 12), BSI assured that customer funds and data were safe and denied any occurrence of a rush money event (mass withdrawal of funds). Meanwhile, the Financial Services Authority (OJK) urged banks to enhance cyber mitigation. The disruption also impacted the payment process for Hajj pilgrimage fees, with 8,072 prospective pilgrims yet to complete their payments.
4. LockBit Hacker Claim and Transaction Evidence (May 13–15)
On Saturday (May 13), the LockBit 3.0 ransomware group, via the @DarkTracer intelligence account, claimed responsibility for the attack. The group asserted they had stolen 15 million customer data records, employee information, and approximately 1.5 Terabytes of BSI data, and accused the bank of lying by calling the incident a mere technical issue. Amidst the crisis, BSI recorded Rp 30 billion in third-party funds (DPK) from weekend banking, cited as evidence of high customer trust. On Monday (May 15), the critical MPN and SPAN Ministry of Finance transaction services, which were also affected, were confirmed to be back to normal.
5. Failed Negotiation and Ransom Demand (May 16)
The crisis peaked on Tuesday (May 16), when LockBit published the ransom negotiation history. The hacker group demanded $20 million (approximately Rp 295.61 billion). A counteroffer of $100,000 from the party allegedly representing BSI was flatly rejected. Due to the failure of the negotiation, LockBit allegedly leaked the stolen data on the dark web. BSI responded by asserting that it had enhanced and fixed its IT system security, with the top priority being the protection of customer data and funds.
