Hackers Claim 58 Million Indonesian Students Data for Sale on Dark Web

Claims that cybercriminals obtained personal information for as many as 58 million Indonesian students have sent shockwaves through the country’s education sector.

Social media discussions erupted after reports emerged that someone was selling this massive data trove on underground forums.

The allegations, if confirmed, would mark one of the largest known student data exposures ever linked to Indonesia’s public sector. Government officials have quickly denied that a breach of their main servers has occurred by hackers.

However, this has sparked a heated discussion about the ways schools and education organizations manage and protect sensitive personal information.

Government Denies Breach Amid Ongoing Investigation

Alarm spread rapidly after posts on social media platform X identified an anonymous seller using the name “SN1F.” This individual allegedly advertised access to Indonesian student records through dark web channels.

The hacker asserted that he held both prior student database information and continual access to extract live data from legitimate databases. On February 10, 2026, Coordinating Minister for Human Development and Culture Pratikno stated, “Our investigations found no evidence of any breach on government education-related servers.”

According to the Ministry of Education’s Data & Information Evacuation Centre personnel, “Our investigations disclosed no evidence of a breach within any governmental education systems.”

Continuing to investigate this issue are the cooperating agencies involved with the National Cyber and Encryption Agency, as well as representatives of the Ministry of Communication and Digital Affairs, and authorities involved in education-related matters.

Education Minister Abdul Mu’ti also dismissed suggestions that hackers accessed the national education database, known as Dapodik. Despite these official denials, many observers now question how such enormous volumes of student data could appear in cybercrime markets at all.

Third-Party Vendors Emerge as Potential Weak Link

Indonesia’s student data do not live in one centralized vault. Schools send records to district and municipal education offices, which eventually forward them to national servers. Along this path, data often passes through numerous third-party platforms operated by private technology companies.

The country’s rapid push toward digital schooling has led institutions to adopt various privately developed systems. These include attendance tracking tools, learning management platforms, and digital student admission systems. Many of these platforms require access to student information or rely on data exports from official systems.

Cybersecurity specialists describe this exposure as a “data supply chain” vulnerability. A poorly secured server at just one service provider could allow attackers to obtain millions of student records without ever touching government infrastructure.

Cybercriminals are increasingly targeting the education and telecom sectors across Africa, exposing critical vulnerabilities in citizen data protection.

Government claims that central databases remain intact may be technically accurate, even though attackers compromised data elsewhere in the ecosystem.

Student Data Powers Synthetic Identity Theft

Student data might seem to have limited value since children generally lack bank accounts or credit cards. Cybercriminals see things very differently. Criminals can use an individual’s personal information, like their name, date of birth, home address, and National Student ID number, to create a synthetic identity for the purpose of stealing their identity.

A criminal can keep a stolen identity for a long time because many victims will not discover they have been a victim of identity theft until they reach adulthood, and by that time, it will be much harder to identify who has stolen their identity.

In addition to the long-term risk, there is also an immediate risk related to the amount of personal information available to criminals. If a criminal has access to a student’s personal information and the student’s parents’ personal information, the criminal can impersonate a legitimate education authority or scholarship agency in order to convince the student’s family to send money to the criminal in payment of some fraudulent fee. Because the criminal has the actual, valid personal information, the criminal’s scam will appear credible.

This controversy raises questions about how effectively Indonesia’s Personal Data Protection Act (Law No. 27 of 2022) is enforced, particularly its requirement that data controllers safeguard personal data and notify affected individuals within three days of discovering a breach that poses a risk. If authorities eventually confirm a breach, failure to comply could result in administrative sanctions or criminal penalties.

Indonesia’s House of Representatives, particularly Commission X, which oversees education, has urged authorities not to dismiss the matter prematurely. Lawmakers say citizens expect the government to take responsibility for keeping their personal data safe.

Therefore, they are advocating for an independent forensic audit and a stricter regulatory framework for education technology vendors.