The accidental disclosure of personal details of Bangladeshi citizens through the website of the Office of the Registrar General, Birth and Death Registration has raised serious concerns regarding data security. The leaked data, which included full names, phone numbers, email addresses, and national ID numbers, was discovered by Bitcrack Cyber Security and confirmed by TechCrunch.
Viktor Markopoulos, a researcher from Bitcrack Cyber Security, stumbled upon the leak in late June and immediately notified the Bangladeshi e-Government Computer Incident Response Team (CIRT). According to Markopoulos, the exposed data of millions of Bangladeshi citizens was taken down after five days. While he couldn’t determine the exact duration of the data’s accessibility, he found records dating back to at least 2021.
Concerns over the potential compromise or misuse of the leaked data were expressed by Markopoulos. He noted that anyone could have discovered the data, similar to how he stumbled upon it. Markopoulos even searched Dark Web forums to check if there were any related leaks for sale, but didn’t find any evidence.
In response to the data breach, the CIRT released a press statement announcing a thorough investigation into the matter. They emphasized their commitment to fully understanding the extent and impact of the breach. The government’s proactive approach towards addressing the issue is commendable.
Markopoulos shed light on how easy it was to find the leaked data. He explained that following the instructions provided by the vulnerable API, he was able to access the information through a simple Google search. The API displayed an error indicating that the word ‘register’ in the URL should be a number rather than a word. By changing ‘register’ to ‘123456789,’ Markopoulos was able to view the birth application of a random person, containing all the relevant data.
TechCrunch also tested the website’s public search tool using ten different sets of data and successfully verified the accuracy of the leaked information. The search results not only displayed the names of the applicants but also revealed additional data such as their parents’ names in some cases.
The accidental disclosure of such critical personal data raises serious concerns about the government’s ability to protect citizens’ privacy. This incident highlights the importance of robust data security measures, especially for government agencies entrusted with sensitive information.
The Bangladeshi government must immediately address the vulnerabilities in their online systems and infrastructure to prevent further data breaches. Additionally, a comprehensive review of their data protection policies and procedures is necessary to ensure the privacy and security of citizens’ personal information.
Furthermore, affected individuals should be promptly notified about the breach and provided with guidance on how to protect themselves from potential misuse of their data. The government should consider implementing measures to offer support and resources for citizens to safeguard their personal information.
This incident serves as a reminder to governments worldwide about the critical importance of cybersecurity and data protection. It further underscores the need for increased investments in technology, infrastructure, and training to mitigate the risks associated with digital systems.
Ultimately, the resolution of this data breach must involve transparency, accountability, and a commitment to preventing future incidents. The government must learn from this breach and take all necessary steps to enhance their cybersecurity practices, ultimately ensuring the safety and privacy of their citizens’ data.