Site's weakness to blame for exposing citizens' data: Palak

State Minister for Information and Communication Technology Zunaid Ahmed Palak has said the weakness of the website concerned was responsible for the data leak that exposed more than five crore Bangladeshi citizens' personal information.

"No government website has been hacked. Citizens' information was exposed due to the vulnerability of the website," he told the media on Sunday.

According to the Digital Security Act, 29 government institutions are declared as Critical Information Infrastructure.

"The surprising thing is that the institution that we identified at no 27 is the one that fell into this incident," Palak said.

As per government gazette, institution no 27 is the Office of the Registrar General, Birth and Death Registration.

Palak said that he will sit with the 29 CIIs, CIRT and related organisations on Monday to review and determine the current situation, assess the risks and plan on what to do in the future.

According to a report published by a US-based online news outlet TechCrunch, Viktor Markopoulos, a researcher working in Bitcrack Cyber Security, accidentally discovered the alarming leak on 27 June.

Mentioning that the leak includes personal data including their full names, phone numbers, email addresses and National Identification (NID) numbers, Viktor said he informed the Bangladesh e-Government Computer Incident Response Team (CIRT) about the data breach but got no response.

The Business Standard contacted Viktor – who shared several screenshots of the leaked information via email. He said, "I am still analysing the data so I cannot be too sure yet but I can say with confidence that it is around 50 million people."

Meanwhile, officials of the Election Commission's (EC) NID wing said the leak was not from the EC servers.

The leak happened through the weakness in the IT infrastructure in one of the 171 partner organisations who use data from EC server, said AKM Humayun Kabir, director general of National Identity Card Registration Division in a press conference on Sunday. 

The leak was the result of one of these organisations storing personal data it was not supposed to keep, he said.

Squadron Leader Saad Waiez Tanveer, director (IT), Idea Project of the EC, said the leak could not have come from the EC server as they do not provide bulk information to these organisations.

He further said, "So far, we have not faced any problems in our data centre. But we will look into the matter."

Regarding the incident, Home Minister Asaduzzaman Khan Kamal said stern action will be taken against those who have leaked personal data of the citizens by hacking the NID database.

"The law enforcement agencies are investigating the matter to obtain 'very specific' information... Strict action awaits the wrongdoers, for sure," the minister said on Sunday.

"Our cyber unit is already working to enhance security measures and protect the personal information of the citizens, as the Home Affairs Ministry will take over the NID server soon after completing some legal procedures," Kamal said.