Sound the alarm bell: Inside the leak of 50 million Bangladeshis' personal data

Black_cats · Jul 8, 2023

Bangladesh government website leaks citizens’ personal data

Lorenzo Franceschi-Bicchierai
@lorenzofb / 6:55 am PDT • July 7, 2023

a photo of a Bangladeshi national ID card held up to the camera (with identifying data blurred)

Image Credits: Munir uz Zaman / AFP / Getty Images

A Bangladeshi government website leaked the personal information of citizens, including full names, phone numbers, email addresses and national ID numbers.

Viktor Markopoulos, a researcher who works for Bitcrack Cyber Security, said he accidentally discovered the leak on June 27, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CERT). He said the leak includes data of millions of Bangladeshi citizens.

TechCrunch was able to verify that the leaked data is legitimate by using a portion to query a public search tool on the affected government website. By doing this, the website returned other data contained in the leaked database, such as the name of the person who applied to register, as well as — in some cases — the name of their parents. We attempted this with 10 different sets of data, which all returned correct data.

TechCrunch is not naming the government website because the data is still available online, according to Markopoulos, and we haven’t heard back from any of the Bangladeshi government organizations that we emailed asking for comment and alerting of the data exposure.

In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID to every citizen. The card is mandatory and gives citizens access to several services, such as getting a driver’s license, passport, buying and selling land, opening a bank account, and others.

Bangladesh’s CERT, the government’s press office, its embassy in Washington, D.C. and its consulate in New York City did not respond to requests for comment.

Markopoulos said finding the data “was too easy.”

“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result,” he told TechCrunch, referring to SQL, a language designed for managing data in a database.

The exposure of email addresses, phone numbers and national ID card numbers is bad on its own, but Markopoulos said that having this type of information could also “be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification.”

Additional reporting by Jagmeet Singh.

Bangladesh government website leaks citizens' personal data

A Bangladeshi government site leaked the personal data of "millions" of citizens, according to a researcher who found the leaked data.

techcrunch.com

Black_cats · Jul 9, 2023

Sound the alarm bell: Inside the leak of 50 million Bangladeshis' personal data

PANORAMA

Masum Billah & Aunim Shams
08 July, 2023, 09:50 pm
Last modified: 08 July, 2023, 10:58 pm

The Bangladeshi tech industry expert community find the leak ‘alarming’ and questioned the vulnerability of the IT securities in the government offices

Viktor Markopoulos, a Greek information security consultant who specialises in web applications and currently working for South Africa-based Bitcrack Cyber Security, detected a leak in a Bangladesh government website revealing the personal data of 50 million Bangladeshis.

The American online newspaper TechCrunch first broke the news. The leaked information includes full names, phone numbers, email addresses and the national ID numbers of the citizens.

The Business Standard contacted Viktor – who shared several screenshots of the leaked information via email and also details used in another story by The Business Standard.

But the unprecedented leak of sensitive data of five crore Bangladeshis has raised the alarm bell.

Over 5 crore Bangladeshi citizens' personal data 'exposed' online
The Bangladeshi tech industry expert community find the leak 'alarming' and questioned the vulnerability of the IT securities in the government offices. "This is an alarming issue," said Fahim Mashroor, tech entrepreneur and the CEO of BD Jobs.

"They availed access to data of more than five crore citizens which is almost one-third of our population. All this information was taken from a government database, which exposes how vulnerable the state of IT security is in those offices," he added.

Victor said, "I am still analysing the data so I cannot be too sure yet but I can say with confidence that it is around 50 million people."

He also said that he tried to reach out to the responsible Bangladesh government agency (CERT in this case) but they didn't respond, and the leak was still live as of taking the interview on Saturday noon.

"We are not aware of identity theft so we don't take it very seriously," said Syed Almas Kabir, former president of BASIS. "But it should bear in mind that identity theft can be executed in a very evil manner. Say for instance, through identity theft, I can even claim your identity. Starting tomorrow, I can open bank accounts under your name and do other things."

Describing the leak as 'outright alarming,' he said that when it comes to cyber security, data privacy or identity theft, our awareness is not up to the mark.

"We have no understanding of data privacy whatsoever. A lot of people cannot differentiate between data security and data privacy. Securing data and having privacy over that data are two entirely different things.

For example, let's say you are standing inside a bulletproof glass box. The bullet won't pierce through the glass and hit you. You are secured and protected. However, what you do not have is privacy because you are visible through the glass from the outside.

In Bangladesh, both data security and data privacy are at risk. We have to pay attention to both," he added.

Both Fahim Mashroor and Almas Kabir, however, stressed the fallout of possible leaks of far more sensitive information if such issues are not taken seriously.

"Those data may very well not have been the most sensitive of data, but there is a huge risk if some of our financial data also gets exposed in this manner. This is absolutely alarming and this further begs the question as to how prepared and competent the data security at government institutions actually are," Mashroor said.

Victor, however, said that being able to access data that easily through a simple Google search is definitely not a good sign. "While the leak of such data is bad on its own, these data can be used to access Birth Registration Record Verifications," he told The Business Standard.

Syed Almas emphasised on government enhancing its capacity to prevent such leaks in the future.

He said, "Consider the data kept at the NBR. If it is revealed/leaked, all the data pertaining to the trade and business of our nation will be available for viewing and monitoring by foreign nations. The data will also be seen by our competitors."

They have to address the issue immediately by following and applying the set international guidelines regarding data security, he added. "What I cannot get my head around is the fact that how a large national database is not following the said international guidelines. The problems can be resolved only if the guidelines and the ISO standards are followed and executed."

Viktor said that proper system architecture, regular penetration tests, authentication and authorisation mechanisms, clear communication with the citizens and addressing the issue when such an incident occurs are the key to ensuring the protection of sensitive data.