<![CDATA[Advances in information technology have driven massive digital transformation among Digital Service Providers (DSPs) in Indonesia, but this development has also increased the potential for increasingly complex cybercrime threats, particularly in the form of ransomware attacks. This normative legal study aims to examine the construction of criminal acts and criminal liability in cases of personal data hacking through ransomware attacks. The results of the study show that ransomware is a multi-layered criminal offense punishable under Law No. 1 of 2024 concerning the Second Amendment to the ITE Law (Articles 30, 32, and 27B) for illegal access, system destruction, and digital extortion, as well as Law No. 27 of 2022 concerning Personal Data Protection (PDP Law) (Articles 67(2) and (3)) for the unlawful disclosure and use of personal data. The concept of criminal liability is expanded from the main perpetrator and accomplices under Article 20 of the 2023 Criminal Code to accomplices under Article 21 of the 2023 Criminal Code in transnational syndicates. In addition, PLDs acting as Personal Data Controllers may be subject to corporate criminal liability (Article 118 of the 2023 Criminal Code) and fines (Article 57 of the PDP Law) if they are proven to have been negligent in maintaining user data security, which facilitates attacks. Although there is existing jurisprudence in the Sleman District Court Decision No. 527/Pid.Sus/2020/PN Smn, law enforcement in Indonesia faces major challenges in the form of cross-border crimes, limitations in digital forensics, and the lack of strong international cooperation, which has made it difficult to achieve concrete criminal liability in many major cases such as BPJS Kesehatan and KPU.]]>
