Fake e-Apostille website leaks personal data of thousands of citizens

At least 1,100 citizens have had their personal documents exposed on a website while applying for the government’s e-Apostille service, which is required to authenticate documents for overseas study, employment or business.

The leaked documents include national identity cards (NIDs), passports, marriage certificates, educational certificates, trade licences, business contracts and other sensitive personal information.

Those affected said they had applied through shops or intermediaries rather than submitting applications directly on the official government website.

Cybersecurity experts, however, say that whether applications were submitted personally or via intermediaries, the fact that such a large volume of data ended up on a fake platform modelled on a government service points to serious weaknesses in digital governance.

To make various Bangladeshi government documents legally acceptable abroad, they must be authenticated through the Ministry of Foreign Affairs. To make the process simpler, faster and more transparent, the ministry operates the apostille service online under the myGov platform of the Aspire to Innovate (a2i) programme, which is run by the ICT Division. This is known as the e-Apostille service.

An e-Apostille certificate includes a QR code, which can be scanned to verify that the relevant document has been authenticated. According to a2i records, around 1.7 million (17 lakh) e-Apostille applications have been processed over the past 11 months.

The official e-Apostille website under the myGov BD platform operates on a dot-bd domain. However, the website on which citizens’ personal data was exposed operates on a dot-news domain. Officials of a2i say a group has created a fake website closely resembling the government’s site to carry out fraud.

An examination of the fake site shows that at least 1,100 fake e-Apostille certificates were generated between 12 October and 11 December. Alongside the certificates, the site contains NIDs, marriage certificates, educational certificates, passports and business documents. Anyone can easily view this information.

Scanning the QR codes used on the fake certificates takes you to a web address that display information using sequential numbers. Simply from changing the number, another person’s documents become visible. In other words, without any identity verification or additional authorisation, a user can access another individual’s sensitive documents.

Cybersecurity experts say this is a well-known website vulnerability known as Insecure Direct Object Reference (IDOR). They note that using random and unique identifiers (UUIDs) instead of sequential numbers could largely prevent such unauthorised access.

Prothom Alo tried to contact 20 people whose data had been leaked and managed to reach nine of them. All nine confirmed that the leaked documents were genuine.

None of the nine people, however, was aware that their information had been exposed. After being informed, one of those nine, a woman became visibly distressed. When asked if she had applied herself, she told Prothom Alo that she had applied through an agency about a month ago.

The cybersecurity team of the a2i programme under the ICT Division has been investigating the website cloning incident and has identified multiple fake and look-alike websites. They say these sites have no connection to the official e-Apostille service.

The investigation found that a total of six fake domains were active, masquerading as the government’s myGov and e-Apostille services. These domains used similar spellings and structures of the words ‘myGov’ and ‘apostille’ to mislead citizens.

The investigation further noted a high risk of phishing, collection of citizens’ personal data and financial fraud on these sites. It also warned of the potential damage to the reputation of government digital services, in addition to risks for citizens’ data security.

According to sources from the ICT Division, a fake website mimicking a government platform for freelancers had also been created in the past.

Cybersecurity experts warn that leaks of documents such as passports and marriage certificates can lead to identity theft, fraud and personal security risks. Women, in particular, face a higher risk of misuse of such information.

Previously, allegations were made that data of 50 million (5 crore) citizens stored in the government’s Covid-19 vaccination management system, ‘Surokkha’, had been leaked on the dark web. Last year, advertisements were posted on a website offering the data for sale.

Professor BM Mainul Hossain, director of the Institute of Information Technology at the University of Dhaka, believes that repeated exposure of personal data in this way is creating mistrust and a lack of confidence among citizens.

He told Prothom Alo that such incidents have a very negative impact on the digital transformation of government services. Personal information is not like a password that can be changed once it is leaked. Once exposed, it effectively becomes public for life.

The professor advised that internationally recognised strategies and processes for data protection must be ensured before collecting citizens’ information.

Faiz Ahmad Taiyeb, special assistant to the chief adviser in charge of the Ministry of Posts, Telecommunications and Information Technology, described the cloning of government websites as “sabotage”.

He told Prothom Alo, “The investigation report has been received. Letters will be sent to the relevant agencies to take action. However, the issue is challenging. It was already known that the personal data of tens of millions of Bangladeshis is circulating on the dark web. This data is being used for sabotage.”

Faiz Ahmad Taiyeb also blamed two companies, saying they have in some cases created alternative storage for citizens’ data. Using this, citizens are being misled and fake websites are being created in the guise of government platforms, with the primary aim of undermining trust in official websites. He added that there are plans to set up a new cell to prevent such activities.