Personal data of Bangladeshi citizens stolen online

Troves of information on the personal details of Bangladeshi citizens have been stolen once again, and this time, the issue was with the National Telecommunication Monitoring Center (NTMC).

The leaked data included citizens’ names, professions, blood groups, parents’ names, phone numbers, the length of calls, vehicle registrations, passport details, fingerprint photos.

US-based Wire magazine reported the leak on Thursday. The magazine, however, did not report on the number of people whose personal information was leaked.

Viktor Markopoulos, who is a security researcher for US-based firm CloudDefense.AI, discovered the unsecured database. He told Wired hackers took over the database on 12 November.

According to Wired, Markopoulos reported the exposed information to Bangladesh’s Computer Incident Response Team (CIRT) on 8 November, and the agency acknowledged his message and thanked him for disclosing the “sensitive exposure.” In an email to Wired, the CIRT said it had “notified the issue” to the NTMC.

The CIRT did not respond to Prothom Alo’s requests for comment on Thursday.

NTMC director general major general Ziaul Ahsan told Prothom Alo, “No data was leaked from out system. We provide sample data for any task. No real data is provided, and those sample data has been leaked. However, we are trying to identify the developer, from whom data was leaked.”

Wired verified several pieces of the leaked data and found those to be correct. Some of the data exposed appears to be test information, as well as data that is incomplete or incorrect.

“I wouldn't be expecting this to happen for any intelligence service, even if it's not really something that sensitive,” Viktor Markopoulos, a security researcher for CloudDefense.AI who discovered the unsecured database, was quoted as saying.

According to the Wired report, the vast majority of the data exposed in the NTMC database is metadata—the extremely powerful “who, what, how, and when” of everyone’s communications.

Phone call audio was not exposed, but metadata shows which numbers may have called others and how long each call lasted. This kind of metadata can be used broadly to show patterns in people’s behaviour and whom they interact with, the US magazine said.

One person contacted by WIRED confirmed that the email, mobile number, and a billing address listed belonged to them.

US-based cyber security consultant Jeremiah Fowler reviewed the exposed database and confirmed its links to the NTMC.

Earlier in July, US-based new website TechCrunch reported on personal data of millions of Bangladeshi citizens had been left exposed online, and that issue was with the Office of the Registrar General, Birth & Death Registration website. Days later, huge data was reportedly leaked from an education board.

Wired reached a Bangladesh-based researcher who asked not to be named, fearing repercussions. The researcher says they “expect to see more surveillance and targeting of individuals” ahead of the elections next year.

“I think the number one priority has to be to make individuals, especially activists … aware of the surveillance system and understand how to be safe online,” the researcher says when asked about digital rights. “When, in the country, people are fighting for their basic rights -- such as securing their daily livelihood and fighting for their political rights -- digital rights come much later.”