A Bangladeshi government website data leak has exposed the personal information of millions of eGovernment portal users.
Bitcrack Cyber Security researcher Viktor Markopoulos told TechCrunch he discovered the leaked database on June 27, 2023, while Googling an error in SQL, a shorthand for “Structured Query Language” designed for managing data in a database.
Markopoulos said finding the data “was too easy” as “it just appeared” as the second Google result. When contacted, the Bangladeshi government did not respond to Markopoulos or TechCrunch.
Bangladeshi government website data leak exposed citizens’ PII
The government website data leak exposed personally identifiable information (PII), including the victims’ full names, phone numbers, email addresses, and national ID numbers. Roughly 50 million citizens were impacted by the government website data leak.
TechCrunch confirmed the data was legitimate by using a portion to query a public search tool on the affected government website.
The search returned the name of the person who applied to register and even their parents’ names in some cases. According to TechCrunch, all ten unique sets of data used in the search returned accurate results.
Markopoulos contacted the government Computer Incident Response Team (CIRT) regarding the personal data leak but received no response. The American tech news website also reportedly contacted the Bangladeshi government unsuccessfully. Shortly after, the leaked database was fixed without any correspondence.
However, BGD e-GOV CIRT project director Saiful Alam Khan Mohammad told Bangladeshi media outlets that the team was investigating the data leak.
On July 8, 2023, the BGD e-GOV CIRT project posted a statement on its website claiming the team demonstrated expertise and professionalism in “addressing millions of Bangladeshi’s data breach news on an international media.”
TechCrunch withheld the name of the impacted government website to protect impacted citizens from exploitation. It remains unclear how long the information was exposed and whether hackers accessed, copied, or misused the exposed data.
The security researcher warned that threat actors could use the leaked information to access the web application and “modify and/or delete the applications as well as view the Birth Registration Record Verification.”
Similarly, they could use the information to craft compelling, targeted phishing messages to extract more information from the victims. They could also use the victims’ personal information to create false identities to commit online fraud.
CIRT directs organizations to harden cyber defense
In light of the government website data leak, BGD e-Gov CIRT directed all organizations to take necessary measures to harden their cyber defense.
The agency encouraged them to properly configure their networks, conduct employee security awareness and training, monitor their networks, conduct vulnerability assessments, configure web applications following OWASP guidelines, and report suspicious activity.
In 2021, BGD e-Gov CIRT discovered 200 Microsoft Exchange Server vulnerabilities with 147 private and government entities coming under a “coordinated” cyber-attack, including Bangladesh Bank (BB), Trust Bank, Bangladesh Telecommunication Regulatory Commission, and Hospital Dhaka.