Over 5 crore Bangladeshi citizens' personal data 'exposed' online
More than five crore Bangladeshi citizens' personal information, including their full names, phone numbers, email addresses and National Identification (NID) numbers, has been exposed from a Bangladesh government website.
According to a report published by a US-based online news outlet TechCrunch, Viktor Markopoulos, a researcher working in Bitcrack Cyber Security, accidentally discovered the leak on 27 June.
Mentioning that the leak includes the personal data of more than 50 million Bangladeshi citizens, Viktor said he informed the Bangladesh e-Government Computer Incident Response Team (CIRT) about the data breach.
Saiful Alam Khan Mohammad, the project director of BGD e-GOV CIRT, told the media that the issue of data leak came to their attention and they will brief the media in the afternoon.
TechCrunch verified the legitimacy of the leaked data by using a public search tool on the affected government website. They conducted the search using a portion of leaked data several times, and in all instances, the website confirmed the data of Bangladeshi citizens.
Viktor Markopoulos, who said "finding the data was too easy", also said the data still remains available online.
"It just appeared as a Google result and I was not even intending on finding it. I was Googling an SQL [a language designed for managing data in a database] error and it just popped up as the second result," he said.
Terming the crisis as a "situational alert on cyber threats", the CIRT team demonstrated its professionalism and expertise by swiftly initiating a thorough investigation into the matter, leaving no stone unturned in pursuit of understanding the extent and impact of the data breach, reads a press statement issued by BGD e-GOV CIRT Project on Saturday.
It is crucial for all stakeholders involved to collaborate and support the CIRT's efforts to rectify the situation, implement necessary security measures, and prevent similar incidents in the future, the release said.
The CIRT alerts the institutions about any incident of cyberattack.
The regular activities of CIRT include situational alerts, security best practices, malware threat intelligence reports, cyber threat landscape, monthly magazines, vulnerability assessment and penetration testing (VAPT), risk assessment, incident handling and so on. By doing these, we always alert the institutions across the country before an incident happens and after it has happened, the CIRT press release said.
All are requested to take the following measures to ensure their security as well as data protection:
- Enhance your capability to combat growing cyber threats.
- Ensure vital services such as DNS, NTP as well as network middleboxes are securely configured and are not exposed on the internet.
- Ensure proper Information and Cyber Security awareness training among all the employees, customers, and consumers to report issues, if they observe any anomalies and/ or suspicious activities.
- Ensure strict network and user activity monitoring 24/7
- Conduct Vulnerability Assessment and Penetration Testing (VAPT) for all the systems on a regular basis.
- Configure and harden web applications as per OWASP guidelines https://onwasp.onrg/www-pronject-web-security-testing-guide/v41/)
- Report or inform BGD e-GOV CIRT regarding the detection of IOCs and/ or any suspicious activities you observe within your environment, to work in collaboration through https://www.cirt.gov.bd/incident-reporting/ or [email protected]
What Viktor Markopoulos told TBS
Viktor Markopoulos is an information security consultant working for South Africa-based Bitcrack Cyber Security and specialising in web applications.
After his claim of detecting the data leak, TechCrunch first broke the news.
The Business Standard contacted Viktor and requested the name of the Bangladesh government website from which the data was leaked.
In response, Victor said, "I am not very comfortable with sharing the origin of the leak as it is still alive and can easily be abused."
However, he sent TBS several screenshots via email which the TBS is scrutinising.
Saiful Alam Khan Mohammad, the project director of BGD e-GOV CIRT, told a local media outlet that they were looking into it.
"We may make a statement to the media later this afternoon," he said.
The Business Standard tried to contact him over the phone, but he did not answer the call.