Smart NID card data available on Telegram  

In July, data belonging to ‘thousands’ of individuals was leaked from the Registrar General's office, birth and death registration information system (BDRIS). Following this incident, approximately two and a half months later, news surfaced regarding a breach in the smart card information

NID

The personal information of individuals, obtained through the Smart National Identity Card (NID) system, is available on a Telegram channel. By providing a NID number and date of birth, an individual's complete personal information can be generated.  

This Telegram channel functions using a specialised software (bot) to facilitate this process. It allows anyone to access and generate personal information of people, akin to certain government and private organizations that obtain NID information from the Election Commission (EC) for various services like selling SIM cards and opening bank accounts.  

Currently, the identity of the individual or group operating this Telegram channel remains unknown. 

In July, data belonging to thousands of individuals was leaked from the Registrar General's office, birth and death registration information system (BDRIS). Following this incident, approximately two and a half months later, news surfaced regarding a breach in the smart card information. 

The Telegram channel's name was shared with three IT experts for verification. They confirmed to Prothom Alo that the channel had been established using already leaked personal information. It was clarified that there was no direct display of information from the National Identification (NID) database or server on the Telegram channel. 

Also Read

An official from the relevant wing of the Election Commission, speaking on condition of anonymity, informed Prothom Alo that numerous government institutions had set up separate portals using information sourced from the Election Commission. However, these portals had weak security systems, making it possible for individuals' personal information to be leaked from their databases. Incidents of such leaks have occurred in the past. 

AKM Humayun Kabir, the Director General of the Election Commission's NID registration wing, informed Prothom Alo that the NID database had not been hacked. He stated that he was unaware of any information being accessible on the Telegram channel. 

Section 26 of the new Cyber Security Act stipulates that anyone unlawfully collecting, selling, possessing, supplying, or using identity information of a person shall be subject to punishment, which may involve imprisonment for a term not exceeding two years, a fine not exceeding Tk 500,000, or both
Also Read

However, Ashraf Hossain, the NID's system manager, revealed to Prothom Alo that they became aware of this situation last Tuesday. Currently, at least 174 institutions receive information directly from the Election Commission (EC). It was determined that this breach occurred through one of these institutions. Necessary actions are being taken in response. However, he declined to disclose the name of the specific institution. 
Personal information generated easily 

The NID database maintained by the Election Commission contains personal information for approximately 120 million citizens. According to EC sources, as of 15 February, approximately 58 million smart cards had been distributed.  

Also Read

To verify information from the EC database, citizens are required to provide their NID number and date of birth. Similarly, information is accessible from the Telegram channel using the NID number and date of birth. A verification process was conducted for the NID information of 10 individuals on that channel, revealing that 8 of them possessed 10-digit smart NID cards. Using these 10-digit numbers, the details of the respective NID holders were obtained.  

The remaining two cards were 13-digit (paper NID). After providing these, it was advised to input a 10-digit number for further processing. 
The extracted information includes the individual's name, father's name, mother's name, spouse's name, date of birth, religion, gender, mobile phone number (if provided), current address, permanent address, and photograph taken during the issuance of the National Identity Card. 

Also Read

Section 26 of the new Cyber Security Act stipulates that anyone unlawfully collecting, selling, possessing, supplying, or using identity information of a person shall be subject to punishment, which may involve imprisonment for a term not exceeding two years, a fine not exceeding Tk 500,000, or both. Identity information in this context refers to name, photograph, address, date of birth, mother's name, father's name, signature, national identity card, fingerprint, and similar data. 

The issue of a data breach was reported to a cybersecurity officer within the government's Information and Communication Technology (ICT) Division. The officer claimed that the problem had been resolved.  

However, it was discovered later by entering the NID number and date of birth of some individuals that the personal information was still accessible on the Telegram channel, same as before. 

Also Read
Also Read

The government is reportedly taking measures to shut down the Telegram channel. Mohammad Saiful Alam Khan, the director of BGD e-Gov CERT, a government ICT division project focused on cybersecurity, informed Prothom Alo that the NID authorities have been alerted about the channel on Telegram. A letter has been sent to the Bangladesh Telecommunication Regulatory Commission (BTRC) requesting the closure of the channel.  

Telegram is an internet-based communication services company registered in the British Virgin Islands, a known tax haven. It was co-founded by Russian-born Nikolai Durov and Pavel Durov. Telegram is very popular in Russia and neighboring countries. 

How worrying is the data leak? 

Personal information encompasses data that can be utilized to identify an individual. This kind of information is often exploited for identity theft, enabling the creation of a false identity that can lead to fraudulent activities.  

In Bangladesh, there have been numerous instances of crimes involving the misuse of personal information. For instance, some criminals deceived a woman named Afroza Begum, aged 46, from Natore under the guise of government assistance and obtained her NID number, photograph, and fingerprints. The miscreants used her information and NID details to acquire a SIM card, subsequently engaging in criminal activities. 

Afroza Begum recounted to Prothom Alo on Tuesday, "A few days ago, the police visited my house and informed me that criminals were carrying out various crimes using a SIM card registered under my name." She further stated, "Information was acquired from many individuals in our village in a similar manner." 

Also Read

Earlier data breach 

The US-based online media outlet, TechCrunch, has reported on the incident involving the leakage of personal information of "thousands of people" from the Registrar General's office, BDRIS. 

The Office of the Registrar General, BDRIS, utilized NID data verification services provided by the EC. Following the incident, the EC stated that the leakage was a result of an organisation's data storage not complying with regulations. Subsequently, the EC organised a meeting with experts to address the situation. It was recommended to closely monitor organisations contracted with the EC and conduct regular information technology audits (IT audits) to enhance data security. 

Following the data leak, State Minister for Information Technology, Junaid Ahmed, remarked that the government website lacked essential security measures, leaving no room to evade accountability. 

Subsequently, last month, a separate incident emerged, revealing the leakage of personal information and documents from an education board's website. 

Rajesh Palit, a professor in the Department of Electrical and Computer Engineering at North South University, expressed his concern to Prothom Alo regarding the alarming rate of information leaks.  

He emphasised that if fingerprints were also compromised, the situation would be grave. Palit pointed out that both government agencies and private organisations collect citizens' information but often struggle to safeguard it. He highlighted the potential risks, emphasising that the leakage of personal information could make ordinary individuals vulnerable to criminal activities. 

There are instances of organizations being penalized for data leaks in various countries worldwide. In 2019, for instance, the Integrated Health Information System of Singapore was fined USD 750,000 (approximately Tk 80 million) for the leakage of patients' personal information. Similar cases have been reported in other countries as well. However, in Bangladesh, there is no known precedent of anyone facing punishment for a data leak till now. 

*This report, originally appeared in Prothom Alo print edition in Bangla, has been rewritten in English by Farjana Liakat 

Also Read
Also Read