Govt agency was alerted earlier

The government agency, from which the personal information of millions of people was leaked, was warned by the government’s cyber security team CIRT beforehand.

The CIRT wrote to the agency informing them about the security flaws on 8 June. Despite that, no protective measure was taken.

As a result of that, South Africa-based international cyber security agency Bitcrack Cyber Security’s researcher Viktor Markopoulos first noticed the issue on 27 June.

Meanwhile, there has been a stir in the government following the media reports on leakage of personal information from a government website.

The information and communication technology (ICT) division held a meeting with 29 government agencies regarded as important information infrastructures. In the meetings, the ICT division discussed the precautionary actions required for ensuring cyber security.

Meanwhile, the agencies highlighted their abilities and limitations in the meeting.

Speaking to the newspersons, state minister for information and technology Junaid Ahmed said two committees were formed following the meeting.

The tasks of these committees will be identifying the flaws in terms of information and technology, identifying any negligence on individual level and preventing incidents like data leak in the future.

Junaid Ahmed told the journalists, “Necessary precautionary measures must be taken to ensure cyber security for these 29 important information infrastructures. If anyone does not do that or fails to take precautions and people suffer for that, the government will consider this as a serious offence. This mistake is not forgivable.”

The newly formed two committees include representatives from several agencies, including the ICT division, the government’s cyber security team, detective branch and different agencies of the police.

According to the ICT division, the committees have been asked to submit the investigation report within seven days, which will be submitted to the top level of the government within 10 days. A summary of the investigation report will be provided to the media.

US-based online news portal TechCrunch first reported about the leak of personal information from the website of a government agency on 7 July. However, the report didn’t reveal the name of the website due to security reasons. The ICT division did not name the agency.

The agency is under the ministry of local government, rural development and co-operatives. The agency did not issue any statement in the last two days. They didn’t even respond when contacted.

However, the chief official of the agency did not want to accept the fact that the people’s personal information was leaked. Asked whether they were accused in the meeting held at the ICT division, “There is nothing to blame anybody here. We have to determine who is liable first.”

In an interview with Prothom Alo, Viktor Markopoulos said information of around 50 million was leaked as per his assessment. Speaking regarding this, the chief of the government agency, said, “We have not found any evidence that information of millions of people has been leaked. Nobody stole any information or hacked the website. Some information has become open to all. There is nothing else than that.”

The ICT division’s a2i (aspire to innovate) programme develops the website as per the demand of the government agencies. The website with unprotected personal information was developed by a private firm.

The chief of the government agency told Prothom Alo that they have five employees in their ICT department. One of them is a government programmer. The remaining four work under a project run by UNICEF. Some 230 million people (including multiple entries of the same person) are registered with the agency.

Bangladesh Computer Council project The BGD e-GOV CIRT works on cyber security of the government websites. Project director Md Saiful Alam Khan spoke to Prothom Alo about the letter they sent to the government organisation.

He said that they conduct the vulnerability assessment and penetration test (VAPT) in different government agencies. As part of this, they conducted the VAPT test in that agency too.

The CIRT says they had identified the potential risks and sent a letter to that government agency with some recommendations on 8 June. They said in the letter that the website was too vulnerable in terms of cyber security. However, the CIRT is not aware of the actions they had taken after receiving the letter.

Speaking regarding the letter from the CIRT, the chief of that government agency said that he sought assistance from the BCC (Bangladesh Computer Council) to ensure cyber security. However, they did not conduct the VAPT properly. BCC mentioned some small and medium risks only, which they had already sorted out.

However, state minister for information and technology Junaid Ahmed, on Sunday, said the website didn’t have even minimum protection. Therefore, there is no way to avoid liability.

He further said, “Emails are sent to agencies regarded as important information structures, but they don’t respond unfortunately. They don’t follow the rules and the directives.”

This government agency is under the ministry of local government, rural development and co-operatives (LGRD). However, speaking to Prothom Alo on Sunday, LGRD minister Tajul Islam said he didn’t know anything about the data breach.

He said on Monday that he did not know the name of the agency, whose information was leaked. All the agencies under his jurisdiction said they did not have any flaw in their system.

Cyber security researcher Viktor Markopoulos claimed that he had sent mail to several agencies of the Bangladesh government informing them about the security problem. However, the government agencies denied getting any mail.

The state minister for ICT, the concerned government agency and the CIRT also claimed that they did not get any mail from Markopoulos.

However, in an interview with Prothom Alo, Viktor Markopoulos claimed that he sent the mails.

Speaking regarding this to Prothom Alo, Abu Sayeed Khan, senior policy fellow of regional research institute LIRNEasia, said, “We have utterly failed to realise the importance of cyber security in our administrative culture. This incident is proof of that.”

“Instead of ensuring cyber security, the government is busy legislating different repressive and unrealistic laws in the name of digital security. There is no progress in their main task.”