digital infrastructure and cybersecurity are facing significant challenges, leading to concerns about its safety and vulnerability. As the country approaches a crucial parliamentary election, there has been a worrisome increase in data leaks and cyberattacks. A recent incident involved a suspected leak of personal data belonging to 50 million citizens from the Office of the Registrar General, Birth and Death Registration (BDRIS). This breach exposed sensitive information such as National ID numbers, names, addresses, dates of birth and parents’ details, making it easy for malicious actors to create counterfeit NIDs. This poses a serious risk of influencing the electoral system, with the potential for misuse of this data by either the ruling party or other local as well as foreign entities. As a result, urgent measures are required to address the prevailing vulnerabilities and safeguard the integrity of Bangladesh’s digital arena.
Viktor Markopoulos, a researcher at Bitcrack Cyber Security, an international cybersecurity solution provider based in South Africa, discovered that the BDRIS website was unprotected and had leaked various personal details of numerous citizens. Despite contacting the Bangladesh e-Government Computer Incident Response Team (BGD e-GOV CIRT), Markopoulos received no response.
Interestingly, on the official website of BGD e-GOV CIRT, prominent figures such as the prime minister herself, the IT adviser to the prime minister, the state minister of information technology and the BTRC Chairman are all displayed as the team in charge, complete with their pictures. However, attempts by US-based online newspaper TechCrunch to seek information regarding the leak from the government’s press office, the Bangladesh embassy in Washington DC, and the Bangladesh consulate in New York City remained unanswered.
This incident has exposed significant vulnerabilities in the digital security of Bangladesh government. The lack of effective cybersecurity measures and poor management practices have alarmingly intensified data leaks and cyberattacks on both citizens and government databases in the country.
According to Markopoulos’ statement to TechCrunch, the leaked information surfaced automatically during a Google search without any intentional effort to seek it. Specifically, it emerged as the second result when searching for an SQL error, indicating a vulnerability in the website’s programming language used for database queries. With this personal data now accessible through web applications, there is a heightened potential for unauthorised access, modifications, or deletions of birth registration records. Consequently, the accuracy and transparency of the data are in question, amplifying concerns regarding its misuse and potential implications for the individuals affected.
Inadequate IT infrastructure and vulnerable digital security persist as pressing issues in the country. Recently, there have been instances of “Distributed Denial-of-Service” (DDoS) attacks, where poor security measures have allowed servers to be flooded with excessive internet traffic, resulting in the disruption of connected online services and sites. Several prominent institutions have also fallen victim to cyberattacks. The Bangladesh Krishi Bank’s servers are currently under attack by ransomware, and in March, hackers demanded $5 million in ransom from Biman Bangladesh Airlines while holding 100GB of data hostage. On March 15, a group called New World Hacktivists leaked 84 police login credentials. Just two days later, another hacking group called the Indian Cyber Force leaked information of about 270,000 Bangladeshi citizens from the Cox’s Bazar police’s server. A couple of years ago, taxpayers’ information was also compromised in a separate incident. Last but not least is the unprecedented Bangladesh Bank reserve theft in 2016, on which a Hollywood documentary titled Billion Dollar Heist has been made, due to come out next month.