Data leak: Personal information in criminal hands

The list of officials who received these grants, along with their personal information, was uploaded on the BKKB website. Exploiting this publicly available data, miscreants managed to obtain the officials’ contact details and subsequently lured them into divulging their bank information under the pretense of receiving additional grants. As a result, these criminals successfully stole Tk 475,000.

BKKB has clarified that they initiated the facility of directly transferring grants to the bank accounts of government officials using Electronic Fund Transfer (EFT). In an effort to maintain transparency, the BKKB provided various details on their website, including the names, addresses, grant amounts, and mobile numbers of the beneficiaries.

However, miscreants took advantage of this information and attempted to deceive individuals by contacting them. Unfortunately, many officials fell victim to these scams and suffered financial losses.

In early 2022, the fraudulent activities came to light, prompting the BKKB to report the matter to the police. To raise awareness, the organisation also issued warnings through newspaper advertisements. Subsequently, a case was filed at Ramna Model Police Station on 11 August last year, leading to the arrest of two individuals involved in the scam.

During a press conference held by the CID on 21 August, it was revealed that not only these five officials but numerous other government officials had also been targeted by the fraudsters.

Moniruzzaman, Assistant Director (Administration) of the BKKB, said, “I received a call from the fraudsters too. In response to the incident, BKKB decided to stop uploading the list of grant recipients along with their personal information on the website. Currently, only diary numbers (individual application numbers) are provided.

Despite efforts to address the issue, a simple search on the popular search engine, Google, reveals a significant amount of information. On multiple occasions, including July 11 at 12:56 PM, July 14 at 8:50 PM, and last Sunday at 8:00 PM, approximately 2,000 individuals' information was found in Excel files during searches. The specific keywords and website names are withheld for security reasons.

Minister of State for Information Technology, Zunaid Ahmed, acknowledged the risk of becoming a victim of cybercrime due to the breach of personal information. Speaking to reporters on 10 July, he emphasised the potential consequences if such information were to fall into the wrong hands.

Information that is available

It has been stated in Section 26 of Digital Security Act, “If any person collects, sells, possesses, provides or uses identity information of any other person without lawful authority, then such act of the person shall be an offence.”

The sections specifies that the information will include photos, addresses, dates of birth, mother's name, father's name, signatures, national identity, birth and death registration numbers, fingerprints, passport numbers, bank account numbers, driving licences, e-TIN (tax identification) numbers and such.

The first Excel file this correspondent came across through Google search on 11 July contained the names, dates of birth, national identity numbers, registered mobile numbers, occupations and addresses of 132 people. Another Excel file appears to contain images with personal information, which can be used to commit identity theft.

Identity theft is a common means of cybercrime throughout the world. By availing individual’s personal information, fraudsters can steal money from bank accounts, credit cards or Mobile Financing Services (MFS) accounts.  The data leak can go as far as availing bank loans by using someone’s personal information.

Prothom Alo talked to three of the government officials who were defrauded due to data breach. They said they got phone calls from persons identifying themselves as BKKB officials who told them they would get more grants. They were asked to give the bank card numbers to get the additional amount of grants. The fraudsters were giving some specific information that was not supposed to be known by others. This led the victims to believe the callers were actually from the BKKB and provide them their card numbers. Later the victims received One Time Passwords (OTP) and shared that too with the scamsters. Later they found money from their bank accounts had been withdrawn.

Retired district livestock officer Rafiqul Islam lost Tk 300,000. The fraudsters made 10 transactions (Tk 29,999 in each transaction) from his bank account using credit card number and OTP for 10 times. The money was transferred to the MFS number. Rafiqul had to pay the money to the bank from his pension money.

Rafiqul told Prothom Alo that he never lost money this way in his life.

“I returned the credit card after the incident. I never used it,” he added.

We asked a private bank’s official who is entrusted with preparing loan documents whether it is possible to avail bank loans by forgery with a person’s name, date of birth, national identity card and photograph. He said taking a loan is possible this way in connivance with the relationship manager (RM) of a bank.

The list of certain people of a certain union parishad is being found on Google. The secretary of the union parishad told Prothom Alo that they prepared the list and sent it to the upazila office. There is a computer operator post to oversee the website of that union, but none was recruited in that post ever. The union digital center’s entrepreneurs update the information of the website.

The entrepreneur of that digital centre whose name was not unveiled told Prothom Alo he studied till higher secondary and received little training on information technology from upazila and district.

Prothom Alo spoke to five officials concerned about when personal information is being provided on the website. They argued that they published a list of people for transparency and there are government instructions on it. They, however, could not give any proper answer to the query on why it is necessary to provide mobile phone and national identity (NID) numbers on the list.

Replying to a query on whether the government instructions state anything on the extent of providing individuals’ information, an upazila nirbahi officer (UNO), whose name was not disclosed, told Prothom Alo they do whatever the higher authorities instruct.

The websites of the governments have been developed through a government project.  A main website has been built first, and then thousands of websites have been developed on its subdomain. Respective local organisations or agencies operate these websites. Replying to a query on whether these organisations have received training on the protection of personal information, the director of that project told Prothom Alo in a statement that their training module includes the issue of the protection of personal information.

But, information is apparently public. In some cases, list of individual names with no additional information were published in the government website what expert said is a proper practice. They said there is no necessity of publishing NID and mobile phone numbers of an individual in the name of transparency.

The Personal information protection act provides legal protection against disclosure of personal information. This law has not yet been enacted in Bangladesh. Prothom Alo spoke to two Supreme Court lawyers and two university professors of information technology law to find out how citizens can get legal protection with the absence of any such law. These four experts said that there is no specific legal protection in Bangladesh. However, Article 43 of the constitution ensures the right to privacy of citizens. Also the Universal Declaration of Human Rights (1948) recognised the right to privacy.

Lawyer Aneek R Haque told Prothom Alo that government agencies can take personal information of citizens if need be but it cannot be kept open on the website.

There are precedents of punishing organisations responsible for data breach in various countries around the world. In 2019, Singapore’s Integrated Health Information System was fined US$750,000 (about Tk 80 million) for leaking personal information of patients. In 2022, Ireland's Data Protection Commissioner fined social media platform Instagram US$400 million. There are other examples of such large fines.

Incidents of leakage of personal data took place in Bangladesh in different times. Recently US online news agency Techcrunch disclosed that information of thousands of Bangladeshi citizens has been leaked from a government organisation’s website. The government only reacted after the news came to the fore. The Information Technology department on 10 July held a meeting with the chiefs of 29 organisations that collect information about the citizens. Two committees have been formed to assess the situation.  

Ershadul Karim, University of Malaya’s senior lecturer of Law & Emerging Technologies department, told Prothom Alo, “The consequence of keeping citizens’ personal information open on government websites this way can be devastating. This is not acceptable at all.”

He said personal information must be kept adhering to all safety measures under a specific policy. Because, criminals will be able to commit various types of crimes, especially financial crimes and government benefit-related crimes, by using the information of the common people kept public.