An undisclosed Bangladeshi government website leaked the personal information of millions of its citizens, including their full names, phone numbers, email addresses, and national ID numbers.
Bitcrack Cyber Security researcher Viktor Markopoulos told TechCrunch he accidentally discovered the leak on June 27 and immediately contacted the Bangladeshi e-Government Computer Incident Response Team (CERT) to contain the security breach.
TechCrunch verified the leaked data was legitimate by using a portion to query a public search tool on the affected government website. After doing so, the website returned other data contained in the leaked database, such as the name of the person who applied to register and even the name of their parents in some cases.
Markopoulos added the government website was still available online by the time of TechCrunch's report.
The Bangladeshi government is yet to comment and respond to queries.
Issues with Bangladesh's National ID System
Every Bangladeshi citizen aged 18 and above is required by law to be issued a National Identity Card. The card gives its citizens access to several services like getting a driver's license, passport, buying and selling land, opening a bank account, and many more.
Markopoulos was concerned he found the date on the Bangladeshi website "too easy.
"It just appeared as a Google result and I wasn't even intending on finding it. I was Googling an SQL error and it just popped up as the second result," he told TechCrunch while referring to SQL, a language designed for managing data in a database.
Markopoulos added the exposure of email addresses, phone numbers, and national ID card numbers were bad on its own, but access to such information could also "be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification."
