A fraudulent website designed to mimic Bangladesh’s official e-apostille platform has exposed sensitive personal data belonging to more than 1,100 citizens, in what cybersecurity experts are calling one of the most alarming digital governance failures in recent years.
Documents leaked online include NID cards, passports, academic certificates, marriage certificates, trade licences, business agreements and other private records—materials that could be exploited for identity theft, forgery, extortion and highly targeted scams.
The website, operating under a news domain, closely imitated the interface and structure of the government-run MyGov e-apostille service hosted under bd.
The fake platform generated fabricated apostille certificates linked to QR codes. When scanned, these codes redirected users to a sequentially ordered database.
Changing the final digits in the URL revealed documents belonging to other applicants—a known vulnerability that experts identify as Insecure Direct Object Reference (IDOR).
Cybersecurity professionals warn that IDOR-based breaches are among the most damaging, because attackers do not need advanced tools—only a web browser. “With sequential references, anyone can harvest sensitive files at scale,” said a Dhaka-based cybersecurity analyst, adding: "Using UUIDs, encryption and layered access verification could have prevented this.”
Victims include Bangladeshi students preparing for overseas universities, migrant workers, job seekers, business representatives and individuals submitting family documents for personal verification abroad.
Many applied through local intermediaries—shops and agents offering government service assistance—making it difficult to determine whether the data was submitted knowingly or rerouted via the fake portal. When contacted, nine victims confirmed ownership of the leaked documents but none were aware of the breach prior to notification.
One applicant, a woman who submitted marriage documents and passports through an agency, expressed concern: “I don’t know where my information has gone. How can I be safe now?"
Investigators from Aspire to Innovate (a2i) have identified at least six active fake domains impersonating MyGov platforms. These sites used similar spellings, visual layouts and service names to mislead unsuspecting applicants. Officials say the fraud network appears to have operated since October, quietly collecting data, issuing fake certificates and storing scanned copies of documents.
A confidential early-stage investigation report reviewed by Dhaka Tribune warns the sites may have been used for phishing, financial fraud and data harvesting—and may be linked to broader criminal ecosystems. Cybersecurity teams suspect commercial motives, but do not rule out state-level or organised sabotage.
Faiz Ahmad Taiyeb, special assistant to the chief adviser overseeing the ICT ministry, described the episode as part of a wider digital sabotage effort. “We already know that millions of citizens’ data is circulating on the dark web.These platforms are attempting to erode public confidence in government services,” he told Dhaka Tribune.
He added that new security cells may be established to counter long-term threats. Bangladesh has faced repeated data exposure crises in recent years—ranging from leaked police complaint portals and student registries to the 2023 allegation that 50 million Covid vaccination records had surfaced online. Technology experts argue these recurring breaches undermine national credibility and threaten diplomatic, labour migration and economic sectors.
Regarding on this aspects, Professor BM Mainul Hossain of Dhaka University warned that personal documents, unlike passwords, cannot be changed. “Once private identity records enter the public sphere, the damage becomes permanent,” he said.
Digital governance analysts say the latest breach reveals deeper structural vulnerabilities: excessive reliance on third-party agents, insufficient platform verification, weak public awareness, and the absence of a comprehensive national data protection law.
Bangladesh began drafting a Data Protection Act in 2022, but it has not yet been enacted.
Cyber specialists urge the government to deploy mandatory HTTPS certificate pinning, multi-factor verification, automated spider detection, zero-trust architecture, secure API gateways and regular third-party audits—standards now common in national digital identity systems.
With hundreds more documents likely uploaded to the fraudulent portals—and thousands of visitors accessing them—authorities are racing to remove mirrored websites and trace servers believed to be hosted outside Bangladesh.
However, forensic experts say that even if the portals are seized, stolen information will continue circulating online indefinitely.
For now, the breach stands as a stark warning—citizen trust in digital services cannot survive without strong data safeguards.
The question is no longer whether vulnerabilities exist, but how long Bangladesh can afford to ignore them.