The personal details of Bangladeshi citizens have been accidentally disclosed by the website of the Office of the Registrar General, Birth and Death Registration.
According to research by TechCrunch and confirmed by South African company Bitcrack Cyber Security, the leaked data included full names, phone numbers, email addresses, and national ID numbers of Bangladeshi citizens.
Leaky Data Discovered
Bitcrack Cyber Security researcher Viktor Markopoulos said he accidentally discovered the leak in late June and contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT) afterwards. He told TechCrunch that the leak included data of millions of Bangladeshi citizens, however, the exposed data was taken down five days later.
Asked how long was the data accessible, Markopoulos says he could not be sure, but he knows it was available from June 27 until July 9, when he discovered it and the issue was fixed. “The records I found there though were dating back to at least 2021,” he notes.
Markopoulos says he could not be sure if the data had been compromised or used. “Anyone could’ve found them out like I did,” he says. “I searched some Dark Web forums at some point to see if there was any relative leaks for sale, [and] I didn’t find any.”
Actions of the Government
The CIRT initiated “a thorough investigation into the matter, leaving no stone unturned in pursuit of understanding the extent and impact of the data breach,” the organization said in a press release.
According to Markopoulos, finding the data was very simple, as it appeared as a Google search result. “All I did was follow the instructions that the vulnerable API was telling me — it was showing an error that the word ‘register’ in the URL should be a number and not a word,” he explains. “So I just changed ‘register’ to 123456789 and it just popped the birth application of a random person with all the relevant data required.”
TechCrunch said it used 10 different sets of data on the public search tool of the government website and were able to verify the data. The website returned other data contained in the leaked database such as the name of the person who applied to register and, in some cases, their parents’ names.