An alarming claim has surfaced, suggesting that the personal information of around 50 million Bangladeshis, including their full names, phone numbers, email addresses, and NID numbers, is openly accessible on a government website.
Researcher Viktor Markopoulos from Bitcrack Cyber Security accidentally discovered the leak on June 27 and promptly informed the Bangladeshi e-Government Computer Incident Response Team (CIRT), TechCrunch, an online portal focusing on high tech, reported.
However, the Dhaka Tribune has not independently verified this claim.
Markopoulos revealed that the leaked data comprises the details of millions of Bangladeshi citizens. Shockingly, anyone can visit the website and find citizens' names, dates of birth, and NID numbers by simply conducting a Google search.
TechCrunch conducted its investigation to validate the authenticity of the leaked data.
By using a portion of the leaked information to query a public search tool on the affected government website, TechCrunch confirmed that the data is legitimate.
The search returned additional information from the leaked database, including the names of individuals who applied for registration and, in some instances, the names of their parents.
TechCrunch successfully replicated this process with ten different sets of data, all of which returned accurate information.
However, TechCrunch refrained from disclosing the name of the specific website as the data is still accessible online, as confirmed by Markopoulos.
TechCrunch has yet to receive a response despite contacting various government organizations via email for comment and to alert them about the data exposure.
In Bangladesh, every citizen aged 18 and older is issued a National ID Card (NID), which assigns a unique identification number to each individual.
This card is mandatory and enables citizens to access various services, such as obtaining a driver's license, passport, buying/selling land, and opening a bank account.
Markopoulos expressed concern over the ease of finding the exposed data, stating, "It just appeared as a Google result, and I didn't even intend to find it.
“I was Googling an SQL error, and it just popped up as the second result."
SQL is a language used for managing data in a database.
The exposure of email addresses, phone numbers, and national ID card numbers is highly alarming.
Markopoulos further highlighted that this information could be exploited within the web application to gain unauthorized access, make modifications, delete applications, and even view Birth Registration Record Verification.
CIRT launches investigation
In response to the news of the massive data breach, CIRT took swift action by acknowledging the matter and launching a comprehensive investigation.
In a press release issued on Saturday, CIRT emphasized its commitment to cybersecurity and the protection of citizens' data.
"It is crucial for all stakeholders involved to collaborate and support the CIRT's efforts to rectify the situation, implement necessary security measures, and prevent similar incidents in the future," the press release read.
