EC ‘lapses’ lead to massive leak of journalists’ personal data
Serious flaws in an online system launched by the Election Commission (EC) ahead of the 13th national parliamentary election have exposed the personal information of at least 14,000 journalists.
Photographs, signatures, national identity card details, and media-related information remained publicly accessible for around two hours.
Applications submitted by journalists through the EC’s website contained photographs, signatures, national ID cards, office identity cards, lists of journalists approved by media organisations, and other institution-related information.
Tanvir Hassan Zoha, a prosecutor at the International Crimes Tribunal and an information technology expert, described the incident as direct evidence of irresponsibility by a state institution. He told Prothom Alo, “How can a constitutional body launch a system that lacks data protection, access control, and even basic security testing? The most critical question is whether the personal data of these 14,000 journalists were copied or fell into the hands of any third party.”
He added that those who speak loudly about protecting journalists’ data, digital security, and personal privacy are, in practice, the very ones handing over such information into the most insecure hands.
Ahead of the 13th parliamentary election and the referendum, the EC had changed the rules for issuing cards to journalists and observers. For the first time, the commission made online applications (via pr.ecs.gov.bd) mandatory for obtaining journalists’ cards and vehicle stickers.
However, following protests from journalists, the EC reversed the decision last Thursday and opted to issue cards manually. Before the reversal, nearly 14,000 journalists had already applied for cards and stickers through the online system.
After 4:00 pm on Saturday, the information of journalists who had applied through the EC’s website suddenly became publicly accessible. By replacing “user” with “admin” in the website URL, full applications and data could be viewed.
In addition to a list appearing on the homepage, applicants’ names, NID numbers, mobile phone numbers, and options to open complete applications became visible.
Although the website later became inaccessible in the evening, the damage had already been done. At around 9:00 pm, EC Secretariat Senior Secretary Akhtar Ahmed told Prothom Alo over the phone: “This matter is not within my knowledge.
I worked in the office until 2:30 pm today, and nothing about this was known then. Since the afternoon, several people have called asking about the issue. It would not be right to comment without knowing what information was leaked and how. I will be able to find out after going to the office tomorrow.”
Information technology experts have stressed the need for proper security testing and sensitive data protection mechanisms before launching any digital system under state management.
BM Mainul Hossain, director of the Institute of Information Technology at the University of Dhaka, told Prothom Alo: “Digital systems essentially run on trust and confidence. If state institutions fail to build that trust, people will become disillusioned with digital systems. This will put the entire digital transformation process at risk.”