Bangladesh Government Portal Leaked 50M Citizens' RecordsVulnerable Web Portal Enables Hacker to Access Birth Records, Personal Data
A security researcher discovered a Bangladesh government web portal that exposed the personal information of about 50 million citizens, including their birth registration records, phone numbers and national identity numbers. Unfortunately, his efforts to notify the government of the security flaw went unanswered.
Viktor Markopoulos, a security researcher at South Africa-based Bitcrack Cyber Security, said he came across the insecure government web portal on June 27 while looking up an SQL error on Google. The portal stored details of web applications filed by Bangladeshi citizens and contained detailed personal records of millions.
The exposed information included citizens' full names, phone numbers, national ID numbers, parents' names, email addresses, birth certificates and birth registration records. Markopoulos said the exposed records are still publicly accessible, and the authorities have failed to restrict public access to the data.
He said he wrote six emails and sent screenshots to Bangladeshi cybersecurity authorities, including Bangladesh's Computer Incident Response Team, CIRT Project Director Mohammad Saiful Alam Khan and the Bangladesh Computer Council, he told Bangladeshi news outlet Prothom Alo.
"The security vulnerability I have uncovered poses a significant risk to the privacy and security of your citizens' personal information, particularly their birth certificates and birth registration records," he wrote in emails to authorities. "If exploited by a malicious actor, this vulnerability allows unauthorized access to birth certificate records, potentially leading to identity theft and other severe consequences."
On Friday, Markopoulos reported the data exposure to TechCrunch after failing to receive a response. "I never came across any incident of data leak this big. My assessment says the personal information of about 50 million people has been leaked. Those people have been harmed in various ways," he told media outlets.
During a cybersecurity awareness program in Dhaka on Sunday, Zunaid Ahmed Palak, Bangladesh's minister for information and technology, said, "The website was weak in terms of security. We have seen that there were technical flaws. As a result, the information became open to people. We have no way to avoid the liability."
Palak said the agency responsible for the data exposure was among 29 organizations the government had designated as "important information infrastructure" under the country's 2018 Digital Security Act.
Prabeer Sarkar, cybersecurity expert and CEO of Dhaka Distributions, told Information Security Media Group that the data exposure of 50 million citizens is perhaps the most significant cybersecurity incident since the Bangladesh Bank heist of 2016. "The impact is and will be of concern stretching across a long period of time," he said.
Sarkar said the incident points out the immediate need for a data security policy framework strongly supported by a data privacy and protection legal framework.
Indonesia suffered a similar breach in early July after an anti-government hacktivist stole the personal information of nearly 35 million Indonesian passport holders from the Directorate General of Immigration's network and put its records up for sale on the dark web for $10,000 (see: 35M Indonesians' Passport Data for Sale on Dark Web for $10K).