Bangladesh Government Website Leaks Personal Data

The personal details of Bangladeshi citizens have been accidentally disclosed by the website of the Office of the Registrar General, Birth and Death Registration.

According to research by TechCrunch and confirmed by South African company Bitcrack Cyber Security, the leaked data included full names, phone numbers, email addresses, and national ID numbers of Bangladeshi citizens.

Leaky Data Discovered

Bitcrack Cyber Security researcher Viktor Markopoulos said he accidentally discovered the leak in late June and contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT) afterwards. He told TechCrunch that the leak included data of millions of Bangladeshi citizens, however the exposed data was taken down five days later.

Asked how long the data was accessible, Markopoulos says he could not be sure, but he knows it was available from June 27 until July 9, when he discovered it and the issue was fixed. "The records I found there though were dating back to at least 2021," he notes.

Markopoulos says he could not be sure if the data had been compromised or used. "Anyone could've found them out like I did," he says. "I searched some Dark Web forums at some point to see if there was any relative leaks for sale, [and] I didn't find any."

However it was later discovered that the quantity of people who may have been affected could be a large portion of the total population, as if there were 50 million records discovered, only around 80 million hold a national identity card.

Also if the CIRT was contacted on June 27th, this would have clashed with the Eid-ul-Adha festival on June 28th, and offices were closed for 15 days. Markopoulos says from June 27th he contacted two email addresses on an almost daily basis, and to this day has not received a response.

Who Actually Held the Data?

It has since been learned that the government website that exposed the data is not the original collector of the data, as the Election Commission collected the data and the National Identity Card Registration Division receives the data from an unnamed source, and stored the data when it was not supposed to have it.

Also, the website which exposed the data is under a different node on the organizational chart, as the Ministry of Home Affairs currently does not fall under the same department as the Election Commission, which is where most of the information was stored.

Actions of the Government

The CIRT initiated "a thorough investigation into the matter, leaving no stone unturned in pursuit of understanding the extent and impact of the data breach," the organization said in a press release.

According to Markopoulos, finding the data was very simple, as it appeared as a Google search result. "All I did was follow the instructions that the vulnerable API was telling me — it was showing an error that the word 'register' in the URL should be a number and not a word," he explains. "So I just changed 'register' to 123456789 and it just popped the birth application of a random person with all the relevant data required."

TechCrunch said it used 10 different sets of data on the public search tool of the government website and were able to verify the data. The website returned other data contained in the leaked database such as the name of the person who applied to register and, in some cases, their parents' names.