Personal data leak: Don't just admit fault, take responsibility
The recent leak of personal data belonging to a large number of citizens has highlighted our lack of concern for digital and cyber security. In the present and future world, data is recognised as a crucial asset, with control over it equated to holding power.
The concepts of "Digital Bangladesh" and "Smart Bangladesh" have been extensively discussed in the country's political sphere. However, the alarming incident of data leak of nearly 50 million citizens and the resulting major security threat have raised doubts regarding the government officials' sense of responsibility, commitment, and competence.
The government holds the responsibility of safeguarding and ensuring the security of citizens' personal information. This is a significant responsibility, but the incident of data leakage has exposed the careless and inadequate manner in which it has been handled. The personal data of hundreds of thousands of individuals were compromised not due to a cyber attack, but due to vulnerabilities within the website itself.
The government's cyber security team, Computer Incident Response Team (CERT), had previously issued a letter highlighting security flaws on the website of the relevant agency under the Ministry of Local Government, Rural Development, and Cooperatives. If proper attention had been given to this letter, could such a massive information leakage happen?
The absence of protection for the personal and sensitive information of hundreds of thousands of individuals in Bangladesh was initially discovered by Viktor Markopoulos, a consultant at Bitcrack Cyber Security Information, a cyber security firm based in South Africa. Markopoulos made multiple attempts to bring attention to this issue by sending six emails to the relevant officials at CIRT.
Unfortunately, he did not receive any response. However, CIRT attempted to evade responsibility by denying that they had received such emails. The matter sparked controversy when TechCrunch, an online media outlet based in the United States, published an article about the breach, citing information provided by Markopoulos.
The Election Commission's National Identity Card (NID) Registration Wing says an organisation stored personal information of citizens in an unregulated manner and that became open to all due to technical flaw of its website. Stating that there is no scope to avoid liability, the Minister of State for Information and Technology said that some 29 organisations were declared ‘important information infrastructure’ under the Digital Security Act. Emails are sent to them, but they don’t respond unfortunately. They don’t follow the rules.
The statements made by the EC and the state minister clearly indicate the lack of importance given by government institutions to the protection of valuable citizen information. Regrettably, there seems to be a lack of emphasis on the routine practice of regularly checking and responding to emails, which is an integral part of the work.
The realm of cybersecurity is constantly evolving, presenting new challenges and realities. In this digital domain, there is no space for falling behind international standards.
Although there is no specific law on privacy in Bangladesh while there have been instances of restricting freedom of expression and suppressing dissent through restrictive laws such as the Digital Security Act. Apart from this, the Data Protection Act has been drafted with provisions of data localization. But the main question of safety and security in the digital domain is being ignored.
Instances of citizen data leaks serve as a clear warning for us to exercise caution. Mere acceptance of liability is insufficient. The Ministry of Information and Communication must assume complete responsibility. If we fail to break free from the cycle of complacency and denial, we will inevitably face even graver consequences.