In a major cybersecurity breach, a government website in Bangladesh has exposed the personal information of millions of citizens. This alarming incident involves the leakage of sensitive data, including names, phone numbers, email addresses, and national ID numbers – a development that underscores the shortcomings in data protection measures implemented by the Bangladeshi government and further highlighting the need for enhanced data governance and cybersecurity practices.
The development was made public via a TechCrunch report, which in turn cited the discovery of Viktor Markopoulos. A researcher at Bitcrack Cyber Security, Markopoulos revealed that he discovered the leak last month – on June 27 – and contacted the Bangladeshi e-Government Computer Incident Response Team (CERT) to inform them about the leak, which includes the personal data and information of millions of Bangladeshi citizens.
The leaked data contains highly sensitive personal information of Bangladeshi citizens, leaving them vulnerable to identity theft, fraud, and other malicious activities. The disclosure of full names, phone numbers, and email addresses increases the risk of targeted phishing attacks, spamming, and harassment. Furthermore, the exposure of national ID numbers could lead to identity fraud and unauthorized access to crucial services. Markopoulos reports that the citizens’ data was still available online.
“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result,” Markopoulos said, adding that finding the data “was too easy.”
In Bangladesh, the National Identity Card is an essential document that grants citizens access to various services, including obtaining a driver’s license, passport, land transactions, and banking activities, once they turn 18. In a nutshell, this card is mandatory and is linked to multiple aspects of individuals’ lives in the country. With the leaked national ID numbers, cybercriminals could exploit this information to impersonate individuals, engage in fraudulent activities, or gain unauthorized access to sensitive services, significantly amplifying the risks faced by affected citizens.