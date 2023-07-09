State Minister for Information and Communication Technology Zunaid Ahmed Palak said on Sunday (9 July) that the concerned government site's weakness was responsible for the data leak that exposed more than 5 crore Bangladeshi citizens' personal information.

"No government website has been hacked," he said adding, "Citizens' information was exposed due to the vulnerability of the website."

He made these statements to the media after attending the launching ceremony of Bangabandhu International Cyber Security Awareness Award 2023 in Agargaon.

"Our Computer Incident Response Team, BGD e-gov CIRT, investigated the matter after learning about it. We found that it cannot be called hacking. Because hacking is when someone breaks into a system and steals information. It was not that someone came into your house and stole something," Palak explained.

He continued without mentioning the name of the website, "We have found that the website that exposed the data did not have the minimum security certificate it should have obtained. Moreover, through the API which was created, anyone could see the data. This is why we did not find any particular cyber hackers, cybercriminals who have hacked or stolen information."

"What we found was that there were some technical weaknesses in the website, due to which, the data could be easily seen, and read and was practically open to all."

When asked who would be held responsible for the data leak, the state minister said, "The government has declared 29 government institutions as critical information infrastructure. The information was exposed due to the error of one of the institutions."

He added that efforts were underway to resolve the issue, and the people responsible for the leak will be brought to justice.

"We will recommend punishments for those whose negligence caused the data to be exposed," Palak said.

He recalled the 2016 Bangladesh Bank hacking which cost Bangladesh $81 million. "We did not have a computer incident response team or a security guideline back then."

He added that BGD CIRT and then Digital Security Act (DSA) were established following Sajid Wazed Joy's suggestions.

"Security of information is our next challenge," he said mentioning the rising importance of information security along with monetary security.

He said that these 29 institutions were regularly notified of basic security recommendations such as following the guidelines for managing email, data centre and database management, regularly conducting external IT audits, and vulnerability and penetration tests.

Palak said that he will sit with the 29 CIIs, CIRT and related organisations to review and determine the current situation, assess the risks and plan on what to do in the future.

He stated that the process to finalise a Data Security Act is underway and may be presented before the cabinet soon. "We have studied all the information received nationally and internationally and the General Data Protection Rules of the European Union, the recent laws of Australia, Canada, the US and the CBPR of the United Nations, and accommodated everyone's opinion, and have almost finalised the draft."

"We will take this mistake as a lesson and discuss what to do to not make such a mistake or face a loss like this again."

According to a report published by a US-based online news outlet TechCrunch, Viktor Markopoulos, a researcher working in Bitcrack Cyber Security, accidentally discovered the alarming leak on 27 June.

Mentioning that the leak includes personal data including their full names, phone numbers, email addresses and National Identification (NID) numbers, Viktor said he informed the Bangladesh e-Government Computer Incident Response Team (CIRT) about the data breach but got no response.

The Business Standard contacted Viktor – who shared several screenshots of the leaked information via email.

Victor said, "I am still analysing the data so I cannot be too sure yet but I can say with confidence that it is around 50 million people."

He said that proper system architecture, regular penetration tests, authentication and authorisation mechanisms, clear communication with the citizens and addressing the issue when such an incident occurs are the key to ensuring the protection of sensitive data.