Voter list being sold on Facebook for Tk 30-250: Dismislab investigation

The final voter list of the 13th parliamentary election is being sold on Facebook for prices ranging between Tk 30 to Tk 250. The voter database reportedly contains personal information such as voters’ names, voter numbers, parents’ names, dates of birth, occupations and permanent addresses.

These findings emerged from an investigation by Dismislab, a fact-checking initiative of Digitally Right.

The 13th parliamentary election was held on 12 February, 2026. Ahead of the elections, the election commission (EC) had published the final voter list on 18 November, 2025. The list was distributed to nominated candidates for electoral purposes.

According to the investigation, that same database is now being sold through social media.

Dismislab found that on 28 May, a Facebook account posted in a group offering constituency-based voter lists for Tk 30 and the nationwide voter database for only Tk 40. Following this, Dismislab conducted a search using relevant keywords and found more than 500 such posts offering the voter list for sale.

The posts were made from at least 15 different accounts. Although the prices varied, the descriptions and sales pitches in the posts were largely identical.

Not only through group posts, voter lists are also being sold via paid advertisements run from Facebook pages. By searching relevant keywords in Facebook’s Ad Library, Dismislab found at least five active advertisements promoting the sale of constituency-specific and nationwide voter lists.

The descriptions in these ads state that the voter lists will be provided as PDF files via Google Drive. The price is set at Tk 99 for constituency-specific lists and Tk 250 for the nationwide database.

For the purpose of the investigation, Dismislab contacted one such page requesting the nationwide voter list. The page instructed them to send Tk 250 to a bKash account. Shortly after the payment was made, a Google Drive link was shared. The link contained folders organised by the country’s eight divisions, with each containing constituency-wise voter lists categorised by area. The dates on the files indicated they were published in November 2025, confirming that they were EC’s final voter lists.

After cross-checking the information against the records of known individuals, Dismislab found that the data was authentic. The lists contain personal information including voters’ names, voter identification numbers, parents’ names, dates of birth, occupations and permanent addresses.

The investigation further revealed that the voter lists are being circulated beyond Facebook onto Telegram. By joining a Telegram link found in the comments of a Facebook post, Dismislab found that voter lists for various constituencies and localities were being distributed free of charge.

When asked whether anyone has the authority to sell or distribute citizens’ personal information in this manner, election commission public relations director Md Ruhul Amin Mallik told Dismislab that candidates had been provided with voter lists in PDF format without photographs.

He said a candidate may have shared the files with others, but the commission had not authorised their sale. He speculated that the data might have been copied at a computer or photocopy shop while the lists were being reproduced.

When Dismislab contacted the individual from whom it had obtained the voter list, the seller claimed to have collected it from social media himself. As evidence, he provided screenshots and screen recordings of conversations. However, attempts to reach the source number shown in those records were unsuccessful, as the number is currently inactive.

The leak comes at a time when Bangladesh has a specific legal framework for protecting personal data. According to the Information and Communication Technology Division, the Personal Data Protection Act, 2026 came into effect on 15 April, replacing the Personal Data Protection Ordinance, 2025.

Under the law, a data controller or processor that fails to protect the rights of data subjects may face an administrative penalty ranging from 1 to 2 per cent of its annual turnover.

However, it remains unclear who will be held legally accountable for this voter list leak.

The election commission supplied the lists through an established process, while it is believed that the data may have been leaked through a candidate or a candidate’s representative.

The lists are now being resold by individuals and page operators on Facebook. Since the turnover-based penalty structure is primarily designed for institutional data controllers, there is little clarity on how it would apply to individuals selling personal information through social media.

Speaking about the risks such data exchanges pose to citizens, Professor BM Mainul Hossain, director of the Institute of Information Technology at Dhaka University, said criminals can use the leaked data to create fake identity cards and apply for various services. Such data could also facilitate fraud involving banks and financial institutions or enable attackers to take control of someone’s online accounts.

It is possible to conduct cybercrimes by opening social media accounts under someone else’s name through the misuse of this information, he warned.

Regarding what relevant institutions should do to ensure the protection of citizens' data, Professor Mainul Hossain said that institutions that collect sensitive personal data—such as NID, voter lists, birth registrations, or educational information—must allocate a budget for data protection from the outset and conduct regular security audits to safeguard that information.