TL;DR: At the Garuda AI Impact Summit 2026, VIDA Founder and Group CEO Niki Luhur argued that most organizations have their data security approach backwards. Ransomware attackers use cryptography to lock organizations out of their own data, yet most institutions leave their data unencrypted in the first place. The solution: encrypt first, before attackers do, and build authentication systems that ensure only verified identities can unlock access. According to Niki, 95% of global data breaches trace back to one root cause: weak authentication.
---
There is an irony in cybersecurity that rarely gets discussed. When ransomware attackers strike an organization, their weapon is cryptography, the very technology designed to protect data.
They take unprotected data, encrypt it, lock it down, and leave organizations unable to access their own systems. The data was vulnerable not because the attack was sophisticated, but because it was never encrypted in the first place.
This raises a question that reframes the entire approach to data security: what if organizations locked their data first, so that even if someone breaches the system, the data is useless without the right key?
That question was posed by Niki Luhur, Founder and Group CEO of VIDA, at the Garuda AI Impact Summit 2026. And the answer, he argued, comes down to one thing most organizations still get wrong: authentication.
Most organizations still operate under an outdated paradigm: prevent data breaches from ever occurring. That mindset is no longer realistic. The paradigm has been obsolete for over a decade. Data breaches will happen. The priority now is ensuring that compromised data cannot be misused.
This requires a fundamental shift from "prevent the breach" to "make breached data useless." And the key to this new paradigm lies in who controls the encryption keys.
There are three questions every organization must be able to answer. First, who is allowed to access the data? This is a policy question about setting clear boundaries. Second, if the data is encrypted, who holds the keys? This is an architecture question about securing encryption keys within controlled, certified systems. Third, how do you track who uses those keys? This is an accountability question about ensuring every access event is logged and auditable.
All three questions point to the same answer: authentication. And here is where the real problem surfaces. An estimated 95% of data security breaches and cybersecurity incidents globally trace back to a single root cause: weak authentication systems.
Authentication is the process of verifying a person's identity before granting access to data or digital services. In data security, strong authentication acts as the primary line of defense against data misuse, even after a breach has occurred.
Authentication systems are built on three factors. The first is what you know: personal data such as passwords, PINs, or security questions. The second is who you are: biometrics such as facial recognition, fingerprints, or retinal scans. The third is what you have: physical devices such as smartphones, hardware tokens, or banking cards.
The problem is that the first factor has already collapsed. In an era of massive data breaches, personal information is widely exposed. Using passwords or personal data as access credentials is equivalent to locking a door with a key that has already been copied and distributed.
"If that data has already been leaked, stop using it," said Niki.
Effective data security must now rely on the second and third factors: verifying identity through biometrics (who you physically are) and verified devices (what you physically hold). This combination is far more difficult to forge than personal data that already circulates freely.
The concept becomes clearer through an example most people interact with daily: ATM and banking cards.
Debit card data remains safe. ATM transactions remain secure. The reason is straightforward: every encryption key is stored in a certified system with clear security standards.
Banking cards operate on exactly the principles outlined above. The data on the card is encrypted. The encryption keys are stored within certified banking infrastructure. And to unlock access, the user must prove identity through something they have (the physical card) and something they know (the PIN), two authentication factors working together.
If this same architecture were applied across all digital systems, data could be both secure and usable every day. And crucially, security and convenience would not be trade-offs. When the design and architecture are right, the most secure option is also the most convenient.
Every phase of Indonesia's digital transformation has required specific supporting infrastructure. The first phase, e-commerce, needed two enablers: payment systems and logistics networks. But beneath both, one fundamental challenge persists across every stage of digitalization: proving that a person's digital identity is genuine.
"Behind all of it, the core problem is always the same," Niki said. "How do you prove someone's identity digitally, to make sure services reach the right person and are not exploited by unauthorized parties?"
This challenge drove the development of digital identity infrastructure built on biometrics, cryptography, and Public Key Infrastructure (PKI), a framework that securely manages the creation, distribution, and verification of digital keys.
VIDA operates as a licensed Electronic Certification Authority (PSrE) under Indonesia's Ministry of Communication and Digital Affairs (Komdigi), functioning as what Niki calls a "digital locksmith": distributing cryptographic keys securely and ensuring each key can only be activated by a verified identity holder, either through biometric verification or a trusted device.
In practice, VIDA does not just encrypt data. It ensures that the encryption keys themselves are only accessible to identity-verified individuals, applying exactly the three principles above: controlled access, secured keys, and auditable usage.
Digital identity infrastructure is not exclusive to financial services. The same security architecture can and should be deployed across multiple sectors. Without strong digital identity infrastructure, every sector undergoing digital transformation faces the same risk of exploitation.