Advances in information technology have driven massive digital transformation among Digital Service Providers (DSPs) in Indonesia, but this development has also increased the potential for increasingly complex cybercrime threats, particularly in the form of ransomware attacks. This normative legal study aims to examine the construction of criminal acts and criminal liability in cases of personal data hacking through ransomware attacks. The results of the study show that ransomware is a multi-layered criminal offense punishable under Law No. 1 of 2024 concerning the Second Amendment to the ITE Law (Articles 30, 32, and 27B) for illegal access, system destruction, and digital extortion, as well as Law No. 27 of 2022 concerning Personal Data Protection (PDP Law) (Articles 67(2) and (3)) for the unlawful disclosure and use of personal data. The concept of criminal liability is expanded from the main perpetrator and accomplices under Article 20 of the 2023 Criminal Code to accomplices under Article 21 of the 2023 Criminal Code in transnational syndicates. In addition, PLDs acting as Personal Data Controllers may be subject to corporate criminal liability (Article 118 of the 2023 Criminal Code) and fines (Article 57 of the PDP Law) if they are proven to have been negligent in maintaining user data security, which facilitates attacks. Although there is existing jurisprudence in the Sleman District Court Decision No. 527/Pid.Sus/2020/PN Smn, law enforcement in Indonesia faces major challenges in the form of cross-border crimes, limitations in digital forensics, and the lack of strong international cooperation, which has made it difficult to achieve concrete criminal liability in many major cases such as BPJS Kesehatan and KPU.

Journals:

Ali, A. (2017). Ransomware: A research and a personal case study of dealing with this nasty malware. Issues in Informing Science and Information Technology, 14(2017), 087-099. https://doi.org/10.28945/3707

Alzagladi, H., et. al. (2023). Pertanggungjawaban Pidana Tanpa Hak Mendistribusikan Informasi Dokumen Elektronik Milik Nasabah Finansial Teknologi. Aufklarung: Jurnal Pendidikan, Sosial dan Humaniora, 3(4), 103-111.

Angnesia, K. M., & Wiraguna, S. A. (2025). Analisis Pertanggungjawaban Hukum Pemerintah dalam Menegakkan Pelindungan Data Pribadi di Era Digital. Perspektif Administrasi Publik Dan Hukum, 2(2), 176-187. https://doi.org/10.62383/perspektif.v2i2.249

Ardiyanti, H. (2016). Cyber-security dan tantangan pengembangannya di indonesia. Jurnal Politica Dinamika Masalah Politik Dalam Negeri Dan Hubungan Internasional, 5(1).

Hasna, K. (2023). Kendala Implementasi Perlindungan Hukum Keamanan Data Pribadi Nasabah Bank BSI Atas Ancaman Ransomware (Doctoral dissertation, Universitas Islam Indonesia). dspace.uii.ac.id/123456789/47738

Maheswari, E. P., & Wiraguna, S. A. (2025). Urgensi persetujuan pemilik data dalam pengelolaan data pribadi oleh platform digital. Jurnal Ilmu Komunikasi Dan Sosial Politik, 2(4), 908-914. 10.62379/jiksp.v2i4.2498

Prayugah, I., et. al. (2025). Analisis Sentimen Publik Atas Respons Pemerintah Pada Serangan Ransomware Dengan Pendekatan Machine Learning Dan Smote. JOISIE (Journal Of Information Systems And Informatics Engineering), 8(2), 333-343. https://doi.org/10.35145/joisie.v8i2.4764

Sorisa, C., et. al. (2024). Etika Keamanan Siber: Studi Kasus Kebocoran Data BPJS Kesehatan di Indonesia. Journal Sains Student Research, 2(6), 586-593. https://doi.org/10.61722/jssr.v2i6.2996

Tajriyani, N. S. (2021). Pertanggungjawaban Pidana Tindak Pidana Pemerasan Dengan Modus Operandi Penyebaran Ransomware Cryptolocker (Doctoral dissertation, Universitas Airlangga). https://doi.org/10.20473/jd.v4i2.25785

Wibowo, M. S. I., & Munawar, A. (2024). Kendala teknis dan hukum dalam proses penyidikan tindak pidana siber di Indonesia. Jurnal Hukum Lex Generalis, 5(7).

Widyaningrat, I. A. W., & Dharmawan, N. K. S. (2014). Tanggung Jawab Hukum Operator Telepon Selular Bagi Pengguna Layanan Jasa Telekomunikasi Dalam Hal Pemotongan Pulsa Secara Sepihak Di Denpasar. Kertha Semaya: Journal Ilmu Hukum, 2(5), 1-5. https://doi.org/10.46576/wdw.v19i2.6284

Books:

A. E, Syaputra, et. al. (2025). Keamanan Jaringan Komputer. Sada Kurnia Pustaka.

H. D, Priyatno. (2017). Sistem pertanggungjawaban pidana korporasi: dalam kebijakan legislasi. Prenada Media.

Marzuki, M. (2017). Penelitian hukum: Edisi revisi. Prenada Media

Qamar, N., & Rezah, F. S. (2020). Metode Penelitian Hukum: Doktrinal dan Non-Doktrinal. CV . Social Politic Genius (SIGn).

S. M. R. Noval, et. al. (2023). Perlindungan Hak Digital: Ancaman Privasi di Tengah Serangan Social Engineering-Rajawali Pers. PT. RajaGrafindo Persada.

Waluyo, B. (2006). Masalah Tindak Pidana dan Upaya Penegakan Hukum. Sumber Ilmu Jaya.

Widodo. (2009). Sistem Pemidanaan Dalam Cybercrime, Laksbang Mediatama,Yogyakarta.

Internet:

Andika dwi. (2023). Begini Kronologi Data 204 Juta DPT Pemilu 2024 Milik KPU Bocor Dibobol Hakcer. Accessed on 1 November 2025, from https://www.tempo.co/ekonomi/begini-kronologi-data-204-juta-dpt-pemilu-2024-milik-kpu-bocor-dibobol-hakcer-114727

Rahel Narda Chaterine, Dani Prabowo (2021). Kemenkominfo Duga 279 Juta Data Penduduk yang Bocor Identik dengan Data BPJS Kesehatan. Accessed on 28 October 2025, from https://nasional.kompas.com/read/2021/05/21/15192491/kemenkominfo-duga-279-juta-data-penduduk-yang-bocor-identik-dengan-data-bpjs

Regulation:

Law No. 27 of 2022 concerning Personal Data Protection.

Law No. 1 of 2023 concerning the Criminal Code.

Law No. 1 of 2024 concerning the Second Amendment to Law.

Number 11 of 2008 concerning Electronic Information and Transactions.

Government Regulation Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions.

Court Decisions:

Sleman District Court Decision Number 527/Pid.Sus/2020/PN Smn. (2020). Directory of Decisions of the Supreme Court of the Republic of Indonesia