A Bangladesh government website has leaked the personal information of millions of citizens, including full names, phone numbers, email addresses and national ID numbers. Dhaka’s leading English daily in a report said, the number of leaked personal data would be around 50 million.
Meanwhile, another report said, Iran-linked APT group has been involved in such notorious cybercrime for years.
Just a week ago, another data leak took place in the United States where sixty-one thousand private addresses were leaked from the website of the US Patent and Trademark office.
TechCrunch in an exclusive report said:
Viktor Markopoulos, a researcher who works for Bitcrack Cyber Security, said he accidentally discovered the leak on June 27, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CERT). He said the leak includes data of millions of Bangladeshi citizens.
TechCrunch was able to verify that the leaked data is legitimate by using a portion to query a public search tool on the affected government website. By doing this, the website returned other data contained in the leaked database, such as the name of the person who applied to register, as well as — in some cases — the name of their parents. We attempted this with 10 different sets of data, which all returned correct data.
TechCrunch is not naming the government website because the data is still available online, according to Markopoulos, and we haven’t heard back from any of the Bangladeshi government organizations that we emailed asking for comment and alerting of the data exposure.
In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID to every citizen. The card is mandatory and gives citizens access to several services, such as getting a driver’s license, passport, buying and selling land, opening a bank account, and others.
Bangladesh’s CERT, the government’s press office, its embassy in Washington, D.C. and its consulate in New York City did not respond to requests for comment.
Markopoulos said finding the data “was too easy”.
“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result”, he told TechCrunch, referring to SQL, a language designed for managing data in a database.
The exposure of email addresses, phone numbers and national ID card numbers is bad on its own, but Markopoulos said that having this type of information could also “be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification”.
