Key Takeaways

  • Bank Syariah Indonesia (BSI) was attacked by LockBit ransomware in May 2023, disrupting banking services for millions of Indonesian customers
  • LockBit claimed to have stolen 15 million customer records including account data, personal information, and internal documentation
  • The attack took BSI's mobile banking and ATM services offline for several days — affecting the bank's 15 million+ customer base
  • Indonesia's OJK (Financial Services Authority) issued enhanced cybersecurity guidance for banking sector following the incident
  • BSI is Indonesia's largest Islamic bank, making the attack a high-profile test of Indonesian financial sector resilience

The Facts

When customers of Bank Syariah Indonesia tried to access their accounts through mobile banking on the morning of 8 May 2023, many found themselves locked out. The disruption that followed — lasting several days and affecting ATM networks, mobile banking, and branch operations — would become one of Indonesia's most significant financial sector cybersecurity incidents.

LockBit ransomware — at the time the world's most prolific ransomware group — claimed responsibility. The group published what it described as samples of stolen data and alleged that 15 million customer records, staff personal data, and internal banking documentation had been exfiltrated before the encryption payload was deployed.

BSI's 15 million+ customer base — consisting primarily of Indonesian Muslims using Islamic banking services — was left without full banking access during the operational recovery period. The bank acknowledged the attack, initiated recovery operations, and reported the incident to Bank Indonesia and OJK as required under the banking sector's cyber incident reporting obligations.

LockBit's international law enforcement disruption in February 2024 eventually took down significant portions of its infrastructure, but the group has shown partial reconstitution capabilities — and the BSI attack data remained available on dark web forums long after the law enforcement operation.

Technical Deep-Dive

Large financial institution ransomware attacks typically follow a patient, multi-stage timeline. Initial access at BSI was likely achieved through phishing, compromised credentials, or exploitation of exposed external services — the three dominant initial access vectors for financial sector intrusions in the 2022-2023 period.

Following initial access, the dwell phase — during which LockBit affiliates conducted network reconnaissance, identified high-value data stores, mapped backup systems, and prepared the encryption deployment — likely extended over weeks or months before the May 8 visible attack. During this phase, the 15 million customer records would have been copied to attacker-controlled infrastructure, leaving no immediate operational indicator of the ongoing exfiltration.

The deployment of the encryption payload — the moment the attack became visible — was timed to maximise ransom pressure: a Monday morning when banking activity peaks and operational disruption creates immediate customer-facing impact.

Indonesian banking sector IT architecture typically involves core banking systems with external-facing APIs for mobile banking and internet banking portals. Lateral movement from a compromised perimeter system to the core banking infrastructure, while technically challenging, is achievable in environments without rigorous network segmentation.

The ASEAN Perspective

The BSI attack was a watershed moment for Indonesian financial sector cybersecurity. OJK's post-incident guidance updated requirements for Indonesian banks including enhanced network monitoring, improved backup system isolation, and more rigorous access controls for critical banking system administration.

For ASEAN's broader banking sector, the incident illustrates the targeting of Islamic banking institutions — a growing financial sector segment in Indonesia (world's largest Muslim-majority nation), Malaysia, Brunei, and parts of Thailand. LockBit and successor groups have shown no distinction in targeting between conventional and Islamic banking.

Bank Indonesia's 2025-2026 cybersecurity regulations have incorporated lessons from the BSI incident into updated requirements for all Indonesian banking institutions.

RECATOOLS Verdict

The BSI breach is a case study in the real operational cost of ransomware beyond the ransom demand: days of customer service disruption, reputational damage in a competitive banking market, regulatory scrutiny, and the long-term risk from 15 million records available on dark web markets. The total cost substantially exceeds any ransom demand.

Sources

  • CSIS Significant Cyber Incidents Timeline 2023
  • Positive Technologies ASEAN Cyberthreats 2023-2024
  • OJK Indonesia Banking Cybersecurity Guidance 2023

FAQ

What happened to Bank Syariah Indonesia? LockBit ransomware attacked BSI in May 2023, disrupting mobile banking and ATM services for several days and claiming to have stolen 15 million customer records.

What is BSI? Bank Syariah Indonesia — Indonesia's largest Islamic bank, formed through the merger of three state-owned Islamic banking units, with over 15 million customers.

Was the ransom paid? BSI did not publicly disclose its ransom decision.

What happened to LockBit? LockBit's infrastructure was disrupted by international law enforcement in February 2024, though the group has shown partial operational reconstitution since.

What changed in Indonesian banking security after the attack? OJK issued enhanced cybersecurity guidance for the banking sector, including improved network monitoring requirements, backup isolation standards, and access control upgrades.