Sound the alarm bell: Inside the leak of 50 million Bangladeshis' personal data

Viktor Markopoulos, a Greek information security consultant who specialises in web applications and currently working for South Africa-based Bitcrack Cyber Security, detected a leak in a Bangladesh government website revealing the personal data of 50 million Bangladeshis. 

The American online newspaper TechCrunch first broke the news. The leaked information includes full names, phone numbers, email addresses and the national ID numbers of the citizens. 

The Business Standard contacted Viktor – who shared several screenshots of the leaked information via email and also details used in another story by The Business Standard. 

But the unprecedented leak of sensitive data of five crore Bangladeshis has raised the alarm bell. 

The Bangladeshi tech industry expert community find the leak 'alarming' and questioned the vulnerability of the IT securities in the government offices. "This is an alarming issue," said Fahim Mashroor, tech entrepreneur and the CEO of BD Jobs. 

"They availed access to data of more than five crore citizens which is almost one-third of our population. All this information was taken from a government database, which exposes how vulnerable the state of IT security is in those offices," he added. 

Victor said, "I am still analysing the data so I cannot be too sure yet but I can say with confidence that it is around 50 million people." 

He also said that he tried to reach out to the responsible Bangladesh government agency (CERT in this case) but they didn't respond, and the leak was still live as of taking the interview on Saturday noon. 

"We are not aware of identity theft so we don't take it very seriously," said Syed Almas Kabir, former president of BASIS. "But it should bear in mind that identity theft can be executed in a very evil manner. Say for instance, through identity theft, I can even claim your identity. Starting tomorrow, I can open bank accounts under your name and do other things." 

Describing the leak as 'outright alarming,' he said that when it comes to cyber security, data privacy or identity theft, our awareness is not up to the mark. 

"We have no understanding of data privacy whatsoever. A lot of people cannot differentiate between data security and data privacy. Securing data and having privacy over that data are two entirely different things. 

For example, let's say you are standing inside a bulletproof glass box. The bullet won't pierce through the glass and hit you. You are secured and protected. However, what you do not have is privacy because you are visible through the glass from the outside. 

In Bangladesh, both data security and data privacy are at risk. We have to pay attention to both," he added. 

Both Fahim Mashroor and Almas Kabir, however, stressed the fallout of possible leaks of far more sensitive information if such issues are not taken seriously. 

"Those data may very well not have been the most sensitive of data, but there is a huge risk if some of our financial data also gets exposed in this manner. This is absolutely alarming and this further begs the question as to how prepared and competent the data security at government institutions actually are," Mashroor said. 

Victor, however, said that being able to access data that easily through a simple Google search is definitely not a good sign. "While the leak of such data is bad on its own, these data can be used to access Birth Registration Record Verifications," he told The Business Standard. 

Syed Almas emphasised on government enhancing its capacity to prevent such leaks in the future. 

He said, "Consider the data kept at the NBR. If it is revealed/leaked, all the data pertaining to the trade and business of our nation will be available for viewing and monitoring by foreign nations. The data will also be seen by our competitors." 

They have to address the issue immediately by following and applying the set international guidelines regarding data security, he added. "What I cannot get my head around is the fact that how a large national database is not following the said international guidelines. The problems can be resolved only if the guidelines and the ISO standards are followed and executed." 

Viktor said that proper system architecture, regular penetration tests, authentication and authorisation mechanisms, clear communication with the citizens and addressing the issue when such an incident occurs are the key to ensuring the protection of sensitive data.