Data not leaked from Election Commission servers: NID DG

Data that exposed more than five crore Bangladeshi citizens' personal information was not leaked from the Election Commission servers, said Director General of National Identity Card (NID) Registration Division AKM Humayun Kabir.

"A total of 171 organisations provide services with data from the Election Commission. It will be checked whether data is being leaked through any of them. If such evidence is found, we will cancel the contract with the organisation," he told reporters in a press conference at the Election Commission office in the capital's Agargaon on Sunday (9 July).

He further said, "So far, we have not faced any problems in our data centre. But we will look into the matter. 

"An investigation committee will be formed with ICT experts and further steps will be taken accordingly," the director general said. 

Viktor Markopoulos, a researcher working in Bitcrack Cyber Security, accidentally discovered the leak on 27 June, according to a report published by a US-based online news outlet TechCrunch.

Mentioning that the leak includes personal data, such as full names, phone numbers, email addresses and National Identification (NID) numbers, Viktor said he informed the Bangladesh e-Government Computer Incident Response Team (CIRT) about the data breach but got no response.

State Minister for Information and Communication Technology Zunaid Ahmed Palak on Sunday said the weakness of the site concerned was responsible for the data leak.

"No government website has been hacked," he said adding, "Citizens' information was exposed due to the vulnerability of the website."

The Business Standard contacted Viktor – who shared several screenshots of the leaked information via email.

Victor said, "I am still analysing the data so I cannot be too sure yet but I can say with confidence that it is around 50 million people." 

He said that proper system architecture, regular penetration tests, authentication and authorisation mechanisms, clear communication with the citizens and addressing the issue when such an incident occurs are the key to ensuring the protection of sensitive data.