Smart NID data leakage: A ministry, some other offices key suspects
Following an alarming leakage of people’s national identity (NID) data, the supreme custodian, the election commission (EC), has denied any mishap on their side, saying that their database is still intact, and they have encountered no hacking attempts.
However, the EC has pointed the finger at some government offices that receive data verification services from the commission's NID database. To ward off further leakage, the commission has already suspended data verification services to some suspected entities, including a ministry and several government offices.
Sensitive personal information of citizens leaked in the virtual world through a Telegram channel several days ago. Anyone could easily access the information by submitting an NID number and birthdate online. However, the channel stopped providing leaked NID data on Thursday morning.
A source at the commission indicated that the data could have leaked from a ministry that receives data verification services from the EC database. The commission has already suspended its service and issued a letter to the ministry to launch an investigation into the leakage.
The commission may even terminate its data-sharing agreement with the ministry if the latter fails to address the technical flaws and obtain intelligence clearance.
All the entities do not receive all types of information; for example, the police have access to 10 to 12 types of information, while banks have access to individuals’ addresses and parents’ names.
The leakage is not the first of its kind in Bangladesh. Earlier in July, US-based online media outlet, TechCrunch, reported that classified information of millions of Bangladeshi citizens had leaked from the office of the Registrar General of Birth and Death Registration. The office used to receive data verification services from the EC database.
The state minister for information and communication technology (ICT), Zunaid Ahmed Palak, alleged that the birth and death registration office did not have a minimum security system on its website.
Besides, there was a leakage of personal information and documents from an education board website in September.
AKM Humayun Kabir, the director general of the EC’s NID registration wing, told reporters on Thursday afternoon that they had suspended verification services to a number of offices around 1:00 am on Wednesday.
He, however, could not disclose the list of suspected offices but said the government and private entities receiving services from the commission are on the list of suspects.
Responding to a query, AKM Humayun Kabir said everything is possible in the era of the internet, as different offices have access to different types of data. The leakage might have taken place from the offices. Even mobile operators might have been involved in the leakage, as they might have provided numbers.
Asked if different types of information are being leaked from different offices, the EC official said, “I cannot say at this point. Let us see what the investigation finds. The services to suspected entities have been halted.”
Explaining the verification services, KM Humayun Kabir said all the entities do not receive all types of information; for example, the police have access to 10 to 12 types of information, while banks have access to individuals’ addresses and parents’ names.
However, the EC cannot terminate the verification services completely due to its obligations as per its agreements with the entities.
He said legal action will be taken if anyone is found responsible for the leakage. If the entities responsible for software maintenance are found involved in the leakage, the commission will recommend that they be blacklisted and do not get any work in the country.