Bangladesh Government Website Leaks Citizens’ Personal Information, Tech Researcher Reveals

Viktor Markopoulos said the website remains active as of press time.

Bangladesh Government Website Leaks Citizens’ Personal Information, Tech Researcher Reveals
Bitcrack Cyber Security researcher Viktor Markopoulos told TechCrunch the leak could be used to access, alter, or delete applications and data on its national register. MUNIR UZ ZAMAN/AFP via Getty Images

An undisclosed Bangladeshi government website leaked the personal information of millions of its citizens, including their full names, phone numbers, email addresses, and national ID numbers.

Bitcrack Cyber Security researcher Viktor Markopoulos told TechCrunch he accidentally discovered the leak on June 27 and immediately contacted the Bangladeshi e-Government Computer Incident Response Team (CERT) to contain the security breach.

TechCrunch verified the leaked data was legitimate by using a portion to query a public search tool on the affected government website. After doing so, the website returned other data contained in the leaked database, such as the name of the person who applied to register and even the name of their parents in some cases.

Markopoulos added the government website was still available online by the time of TechCrunch's report.

The Bangladeshi government is yet to comment and respond to queries.

Issues with Bangladesh's National ID System

Every Bangladeshi citizen aged 18 and above is required by law to be issued a National Identity Card. The card gives its citizens access to several services like getting a driver's license, passport, buying and selling land, opening a bank account, and many more.

Markopoulos was concerned he found the date on the Bangladeshi website "too easy.

"It just appeared as a Google result and I wasn't even intending on finding it. I was Googling an SQL error and it just popped up as the second result," he told TechCrunch while referring to SQL, a language designed for managing data in a database.

Markopoulos added the exposure of email addresses, phone numbers, and national ID card numbers were bad on its own, but access to such information could also "be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification."

Tags
Bangladesh
Real Time Analytics