Millions of Bangladeshi citizens’ personal information, including full names, phone numbers, email addresses, and national ID numbers, was accidentally leaked through a government website. The breach was initially discovered by Viktor Markopoulos, a researcher employed at Bitcrack Cyber Security, who promptly notified the Bangladeshi e-Government Computer Incident Response Team (CERT) upon making the finding according to the report.
TechCrunch independently confirmed the legitimacy of the leaked data by utilizing a portion of it to query a public search tool on the affected government website. The website provided additional details from the compromised database, such as the applicant’s name and, in certain instances, the names of their parents. To ensure accuracy, TechCrunch repeated this process with ten different data sets, each time receiving correct information.
Out of concern for ongoing data availability, TechCrunch has chosen not to disclose the name of the government website. Despite reaching out to various Bangladeshi government organizations via email to alert them of the data exposure and request comments, no responses have been received at the time of reporting.
In Bangladesh, every citizen aged 18 and above is issued a mandatory National Identity Card that assigns a unique identification number. This card grants individuals access to numerous services, including obtaining a driver’s license, passport, engaging in land transactions, opening bank accounts, and more.
Requests for comments from Bangladesh’s CERT, the government’s press office, its embassy in Washington, D.C., and its consulate in New York City have gone unanswered.
Markopoulos expressed surprise at how effortlessly he stumbled upon the leaked data, stating, “It just appeared as a Google result, and I wasn’t even intending on finding it. I was searching for an SQL error, and it unexpectedly emerged as the second result.” SQL is a language designed for managing database information.
The exposure of email addresses, phone numbers, and national ID card numbers is deeply concerning. Markopoulos also highlighted the potential risks associated with this type of information, which could be exploited to gain unauthorized access, manipulate applications, delete records, or even view the Birth Registration Record Verification within the web application.