Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Bangladesh Government Website Leaks Personal Data

Personal details of Bangladeshi citizens found online by a researcher included full names, phone numbers, email addresses, and national ID numbers.

Bangladesh flag with a wave and made up by digital dots
Source: Muhammad Toqeer via Alamy Stock Photo

The personal details of Bangladeshi citizens have been accidentally disclosed by the website of the Office of the Registrar General, Birth and Death Registration.

According to research by TechCrunch and confirmed by South African company Bitcrack Cyber Security, the leaked data included full names, phone numbers, email addresses, and national ID numbers of Bangladeshi citizens.

Leaky Data Discovered

Bitcrack Cyber Security researcher Viktor Markopoulos said he accidentally discovered the leak in late June and contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT) afterwards. He told TechCrunch that the leak included data of millions of Bangladeshi citizens, however the exposed data was taken down five days later.

Asked how long the data was accessible, Markopoulos says he could not be sure, but he knows it was available from June 27 until July 9, when he discovered it and the issue was fixed. "The records I found there though were dating back to at least 2021," he notes.

Markopoulos says he could not be sure if the data had been compromised or used. "Anyone could've found them out like I did," he says. "I searched some Dark Web forums at some point to see if there was any relative leaks for sale, [and] I didn't find any."

However it was later discovered that the quantity of people who may have been affected could be a large portion of the total population, as if there were 50 million records discovered, only around 80 million hold a national identity card.

Also if the CIRT was contacted on June 27th, this would have clashed with the Eid-ul-Adha festival on June 28th, and offices were closed for 15 days. Markopoulos says from June 27th he contacted two email addresses on an almost daily basis, and to this day has not received a response.

Who Actually Held the Data?

It has since been learned that the government website that exposed the data is not the original collector of the data, as the Election Commission collected the data and the National Identity Card Registration Division receives the data from an unnamed source, and stored the data when it was not supposed to have it.

Also, the website which exposed the data is under a different node on the organizational chart, as the Ministry of Home Affairs currently does not fall under the same department as the Election Commission, which is where most of the information was stored.

Actions of the Government

The CIRT initiated "a thorough investigation into the matter, leaving no stone unturned in pursuit of understanding the extent and impact of the data breach," the organization said in a press release.

According to Markopoulos, finding the data was very simple, as it appeared as a Google search result. "All I did was follow the instructions that the vulnerable API was telling me — it was showing an error that the word 'register' in the URL should be a number and not a word," he explains. "So I just changed 'register' to 123456789 and it just popped the birth application of a random person with all the relevant data required."

TechCrunch said it used 10 different sets of data on the public search tool of the government website and were able to verify the data. The website returned other data contained in the leaked database such as the name of the person who applied to register and, in some cases, their parents' names.

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights