Imagine discovering that your purchase records, collected by a retail shop since you became a customer, are now publicly available. This includes not only what you bought, but also when, how often you repurchased items, and how your household’s consumption patterns changed over time.
This data exposure constitutes a significant privacy violation, exemplifying a data breach. The incident may create additional security threats beyond the initial privacy violation.
This also reminds us of previous breaches of sensitive personal information, including names, phone numbers, and National Identity National Identification Document (NID) numbers of over 50 million citizens of Bangladesh, which occurred in 2023.
It has been discovered that this data breach from a government website was almost accidental, finding the data as “too easy,” emphasising that the website had not been “hacked” -- rather, citizens’ information was exposed due to website vulnerabilities, as if this distinction somehow lessened the severity of the failure.
This time, the breach from a corporate website does not merely reveal identity markers like names and phone numbers -- they expose the detailed fabric of how people live their daily lives.
Around 270 million purchase records have been exposed. Along with 2 million mobile numbers of its customers from corporate databases. It has affected more than 4 million registered customers of Shwapno, a retailer with a long-term vision to redefine modern retail and shape the future of e-grocery.
Unfortunately, the retailer’s systems allowed employees to click on phishing links, introducing malware into the network -- an attack vector that proper email filtering, security awareness training, and network segmentation should have prevented. The Qilin ransomware group and LockBit 5.0 later encrypted the company’s systems, demanding $1.5 million.
The retailer reportedly received this explicit ransom warning in August 2025. However, it waited seven months -- until March 2026, when data appeared on social media -- before filing a police report or notifying customers.
Customers queue at checkout counter at a super shop retail brand in Dhaka, Photo: Courtesy
The voyeurism of leaked purchase histories
For several weeks after the breach became public, a website appeared online that turned private consumer behaviour into a macabre spectacle. The URL https://shwapnocheck.2bd.net/ allowed anyone with internet access to search for phone numbers and view complete purchase histories of the customers. What we bought, when we bought those, how much we spent -- all of it suddenly visible to strangers, competitors, and criminals.
“I checked my own number first, and there it was. Everything. Diapers I bought for my daughter, the dates, the prices, even the outlet location,” says Mahmud Hasan, a customer who discovered his data on the site. “Then I got curious and started checking my friends’ numbers. I could see one friend buying condoms regularly, another buying expensive cosmetics. These are private choices. Nobody should have access to this except the person who made the purchase.”
“It felt like someone had been watching me through my window for months. Every time I bought something personal -- health products, gifts, even food preferences -- it was all there for anyone to see. I felt exposed.”
Later, many customers attempted to check but found the link no longer operational. “I heard about the website from my colleagues, but when I tried to access it, the page was down,” says Shah Moynul Nishu, a Banani customer. “I still don’t know if my data was there or not. The uncertainty is almost worse than knowing.”
The credit card blindspot
Customers who shop regularly using credit and debit cards at the retailers’ outlets remain in the dark. The retailer has not confirmed whether card transaction details were compromised.
“I use my credit card at this super shop almost every week,” says Tasnima Rahman, a Banani resident. “When I heard about the breach, my first thought was: Does my bank know? Should I request a new card? I called my bank, and they had not been officially notified by the retailer about any breach involving card transactions.”
“If card data was potentially exposed, every bank whose customers shop at that retailer should have been notified immediately,” says a corporate banking executive who requested anonymity.
“Transaction information from customers using mobile financial services (MFS), credit card details, and all transaction identifiers are fully secure,” the operation team at a Mirpur outlet stated.
“Our loyalty program server has experienced a breach, and our technical team is actively addressing the issue. We have started to reconcile customers’ reward points based on their purchase history after a delay of 12 days, which has been outstanding since early April.”
The anatomy of negligence and the accountability vacuum
The investigation reveals a cascade of preventable failures that began long before any hacker sent a phishing email.
Dr Abu Sayed Md Mostafizur Rahaman, Professor of Computer Science and Engineering at Jahangirnagar University, cuts through the technical jargon to expose the core problem.
“The customer database should have been in a completely isolated network zone,” Dr Rahaman explains. “Proper network segmentation would have prevented attackers from jumping from an employee’s email system directly to the database server.”
Was it a technical failure due to the absence of real-time monitoring? A security system would have detected the massive, abnormal outbound transfer of 410 GB of data.
Dr Rahaman explained. “I am not sure that there was a proper Security Information and Event Management (SIEM) system to detect the massive, abnormal outbound transfer of consumer data. You had 4 million customers’ personal data stored in a database, and nobody was actively monitoring it.”
When asked what should have happened immediately after this breach, Dr Rahaman is unambiguous: “A proper incident response would have included immediate verification, external forensic review, and customer notification.” None of this happened.
This brings us to the accountability vacuum. The investigation found no evidence of any personnel facing consequences for this catastrophic security failure. No independent audit was commissioned. No technical committee formed. No detailed explanation was made public.
When asked why legal action was taken seven months after the breach, officials stated that “the technical team had assured management that data had been recovered and there was no issue.” This excuse reveals either gross incompetence or deliberate concealment.
While customers faced mounting fraud attempts and employees fielded questions they were forbidden to answer, the authority made a calculated decision to deny, deflect, and delay.
At the Azimpur branch, a staff member delivered the company line with chilling precision: “There was no need for separate security measures. Higher-ups have forbidden us from worrying and instructed us to explain it to customers if they ask.”
“We did not get any official notice. We just saw it online like everyone else,” says a cashier at this retailer when asked whether management had briefed frontline staff about the breach. The pattern was consistent across multiple outlets.
“Customers have asked whether the news is true, but we were not given any official instruction to explain it,” says Shakib, a customer service representative, Satmashjid branch. “We were told not to give any answer from the higher authorities.”
The regulatory void
No data protection authority is enforcing disclosure requirements, because none exists with meaningful enforcement power. No mandatory breach notification law because Bangladesh has not passed comprehensive data protection legislation.
“BTRC and the ICT Division should ensure organizations follow minimum cybersecurity standards, including mandatory security audits, and strict policies for reporting breaches.”
Dr Rahaman advised, “The affected customers should change their passwords, especially if the same password was used on multiple platforms. They should be careful about phishing emails, SMS, or unknown calls asking for personal information.”
This enquiry reveals the retailer has not issued a public statement immediately warning customers that their data may have been exposed. This is not customer service. This is risk transfer.
“I’m very frustrated with how companies don’t provide a secure environment for customers,” says a customer. “The company will just say ‘sorry’ and go back to doing business as usual.”
The verdict of silence
The unpleasant reality is that this data breach resulted from the negligent custody of sensitive information.
As one opinion piece noted, “collecting millions of consumer records is a business decision, but protecting them is a legal and moral obligation.”
Millions of registered customers are now paying the price through spam calls, fraud attempts, and the permanent loss of their shopping privacy.
Zulker Naeen is a Research Coordinator, Center for Critical and Qualitative Studies (CQS) and Adjunct Faculty, Department of Media Studies and Journalism (MSJ), University of Liberal Arts Bangladesh (ULAB). Views expressed are the writer's own.