Cybersecurity expert Viktor Markopoulos was busy in his routine work like any other day on 27 June. Suddenly he sensed something fishy on the net somewhere. Out of curiosity he changed a certain word in the URL (Uniform Resource Locator) and came across personal information of a Bangladesh citizen. Within moments his computer was flooded with the personal data of a huge number of Bangladeshis.
Viktor Markopoulos, an information security consultant at South Africa-based Bitcrack Cyber Security, an international organisation that works with cybersecurity, informed Prothom Alo of this on 9 July.
“I never came across any incident of data leak of this big. My assessment says the personal information of about 50 million people have been leaked. Those people have been harmed in various ways,” he said.
Viktor Markopoulos also said that when he came across the incident, he tried to contact the Bangladeshi authorities “multiple times” but he did not get any response from any authorities.
Personal data means a person’s name, address, date of birth, mobile phone and passport numbers, fingerprints and any other information that can be used to identify him. Any leak of such information creates risk of becoming a victim of fraudulence and crime.
TechCrunch, the US-based online newspaper focusing on high tech and startup companies, ran a report on 7 July on the leak of personal data of Bangladesh citizens that Viktor Markoupoulos was talking about.
The report said the leak happened from a website of the government of Bangladesh. TechCrunch, however, did not disclose the name of the website. The matter was widely discussed following the reports published by Bangladeshi media outlets on Sunday, the first working day of the week.
I never came across any incident of data leak of this big. My assessment says the personal information of about 50 million people have been leaked. Those people have been harmed in various waysViktor Markopoulos, South Africa-based cybersecurity expert
State minister for information and technology Zunaid Ahmed spoke to the media about the leak at the inauguration of Bangabandhu International Cybersecurity Awareness Award Programme on Sunday. The election commission’s NID wing director general AKM Humayun Kabir addressed a media conference about the incident. Before that BGD e-GOV CIRT, a project of Bangladesh Computer Council of the government’s ICT division that works on cybersecurity, sent a media release. But none of the three authorities of the government gave any clear indication as to the negligence of which organisation led to such a disaster.
In an email to Prothom Alo, Viktor Markopoulos said he sent six emails to cirt@cirt.gov.bd, info@cirt.gov.bd, saiful.khan@bcc.gov.bd. He has sent screengrabs of those emails too.
The first two email addresses are of BGD e-GOV CIRT while the third one is of BGD e-GOV CIRT project’s director M Saiful Khan.
State minister for information and technology Zunaid Ahmed and BGD e-GOV CIRT, however, said they did not get any information from Viktor Markoupoulos.
Viktor in the email he sent to BGD e-GOV CIRT on 27 June wrote, “I hope this email finds you well. I am writing to inform you about a critical security vulnerability that I have recently discovered within your systems… As a concerned citizen of this world and a cybersecurity professional, my intention is solely to assist you in improving the security of your infrastructure, with no malicious intentions whatsoever.”
“The security vulnerability I have uncovered poses a significant risk to the privacy and security of your citizens’ personal information, particularly their birth certificates and birth registration records. If exploited by a malicious actor, this vulnerability allows unauthorised access to birth certificate records, potentially leading to identity theft and other severe consequences,” he wrote.
The South African cybersecurity expert also wrote, “My knowledge is limited to how exactly the citizens apply for birth registration, since, I am not a citizen of Bangladesh. Nevertheless, I found by accident that there is an API endpoint that publicly exposes information regarding the birth certificate application of citizens that allow anyone to view those private applications, plus revealing important PII such as email address, phone number, birth place, physical address etc…. I assure you that my motivation lies solely in safeguarding the privacy and security of your citizens. As a responsible member of the society, I firmly believe that our collective efforts can lead to a safer and more secure environment for everyone.”
In his email Viktor Markopoulos also wrote, “Please acknowledge the receipt of this notification at your earliest convenience and provide an appropriate point of contact whom I can liaise with throughout the resolution process. If necessary, I am available for further discussions or clarifications regarding the matter. Thank you for your attention to the critical issue. I have full confidence in your commitment to ensuring the protection and well-being of your citizens…. I hope I am sending this to the correct email addresses. If not. Could please forward this email to or redirect me to the appropriate people? I am at your disposal for any additional information needed.”
Viktor told Prothom Alo that he sent the email to the Bangladesh authorities again on 28 June, 3 July, 4 July, 5 July and 7 July.
He also said it happened because of lack of security mindset while developing the web application. There should have been security issue in mind when developing the system, especially when holding such important data.
Asked, the cybersecurity expert said the government should communicate openly about it with the public, let them know the risks, run an investigation to who else might have found the data before me and secure properly government systems.
Meanwhile, speaking about the data leak to newspersons, state minister for information and technology Zunaid Ahmed said the leakage of information of ‘millions’ of people from a government website happened due to technical weakness. “The website was weak in terms of security. We have seen that there were technical flaws. As a result the information became open to people. We have no way to avoid the liability,” he added.
* The report has been rewritten in English by Shameem Reza