2023 Bangladesh Government website data breach

Last updated

In June and July 2023, a major data breach occurred in a Bangladesh Government website, resulting in the unauthorized exposure and compromise of personal data belonging to more than 50 million Bangladeshi citizens. [1] [2] [3]

Contents

Background

On July 7, 2023, it was discovered that a government website in Bangladesh had inadvertently exposed the personal data of citizens due to security vulnerabilities. [4] The breach was not a result of a deliberate hack, but rather a consequence of weaknesses in the infrastructure and data protection practices of the websites. The exposed data included sensitive information such as names, addresses, phone numbers, and national identification numbers. [5] From October 2023, the leaked NID data of Bangladeshi citizens are openly accessible on Telegram channels. [6]

Breach incident

The breach was initially reported by American technology news website TechCrunch, on July 7, 2023. According to their reports, the exposed data was accessible via the government website, potentially allowing unauthorized individuals to access and misuse citizens' personal information. They initially did not reveal the website's name as breached data were still accessible, however they later revealed that the data breach occurred in the Office of the Registrar General, Birth & Death Registration website. [4] The incident raised concerns about privacy and data security, causing alarm among affected individuals. [7]

Zunaid Ahmed Palak, the state minister for Information and Communication Technology in Bangladesh, acknowledged the breach and clarified that it was not the result of hacking but rather a consequence of the security weaknesses presents in the websites. Palak further explained that the websites had vulnerabilities that were exploited, resulting in the exposure of citizens' personal data. [8] [9]

Government Response

In response to the data breach, the Bangladesh government took action to address the situation. On July 10, 2023, the government announced the takedown of the exposed citizens' data, ensuring that it was no longer accessible to unauthorized individuals. The affected government websites were temporarily shut down to address the security vulnerabilities and strengthen their data protection measures. [10] [4]

Additionally, the government launched an investigation into the incident to ascertain the extent of the data exposure and identify the parties responsible for the security weaknesses. The objective was to prevent similar incidents from occurring in the future by implementing more robust security protocols and measures to safeguard citizens' personal information. [4]

Impact and Controversy

According to experts, the data breach had significant implications for the affected citizens and raised concerns about data security in the country. The exposure of personal data could potentially lead to fraudulent activities, identity theft, or other malicious purposes. The breach underscored the need for stringent cybersecurity practices and triggered discussions about the security measures implemented by government websites in Bangladesh. [11] [12]

The incident generated controversy and prompted discussions regarding the government's responsibility in protecting citizens' data. Critics argued that the data breach highlighted a lack of attention to cybersecurity and a failure to prioritize the protection of sensitive information. [7] Others emphasized the importance of regular security audits and timely detection and remediation of vulnerabilities. [13]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

On March 27, 2016, hackers under the banner "Anonymous Philippines" hacked into the website of the Philippine Commission on Elections (COMELEC) and defaced it. The hackers left a message calling for tighter security measures on the vote counting machines (VCM) to be used during the 2016 Philippine general election on May 9. Within the day a separate group of hackers, LulzSec Pilipinas posted an online link to what it claims to be the entire database of COMELEC and updated the post to include three mirror link to the index of the database's downloadable files. The leaked files by LulzSec Pilipinas amounts to 340 gigabytes.

The National Identity Card or NID card is a compulsory identity document issued to every Bangladeshi citizen upon turning 18 years of age by Bangladesh Election Commission (EC). The NID is also a biometric, microchip embedded smart identity card. The NID is required by Bangladeshi citizens for multiple essential public services & private services in Bangladesh. Initially, paper-based laminated NID cards were issued in 2006. Then, the paper-based laminated NID cards were replaced by the Smart NID cards in 2016. This was done to ensure security for the cardholder as well as prevent counterfeiting and fraudulence. Bangladesh government provides the Smart NID card with zero cost for all above 14 years Bangladeshi citizens.

The Bangladesh Computer Council (BCC) is a statutory government organization operating under the Information and Communication Technology Division of the Ministry of Posts, Telecommunications, and Information Technology of the Government of Bangladesh (GoB). Its headquarters are situated in Agargaon, Dhaka, Bangladesh. It was initially known as the National Computer Committee (NCC) in 1983 and transformed into the Bangladesh Computer Council through Act No. 9 of the National Parliament in 1990.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

According to the government of Bangladesh, the first question paper leak from any public examination happened in 1979, during the Secondary School Certificate (SSC) examination period. However, leaks have become more frequent since 2014. Question papers of other public examinations such as the Primary School Certificate (PSC), Junior School Certificate (JSC), Secondary School Certificate and Higher Secondary School Certificate (HSC) have been leaked in a regular basis. There have also been multiple university and medical entrance exam question paper leaks.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

The Office of the Registrar General, Birth & Death Registration is a Bangladesh government regulatory agency under the Ministry of Local Government, Rural Development and Co-operatives responsible for the registration of births and deaths in Bangladesh. The website of this agency had a massive data breach in June and July of 2023, exposing citizens personal data that included names, phone numbers, national identity card information, and addresses.

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident in America

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

<span class="mw-page-title-main">Bangladesh e-Government Computer Incident Response Team</span> National cybersecurity agency of Bangladesh

The Bangladesh e-Government Computer Incident Response Team is the state-run agency of the government of Bangladesh responsible for maintaining cybersecurity in the country. Works under the Ministry of Posts, Telecommunications and Information Technology, it is the national computer emergency response team (CERT) with prim focus on receiving and reviewing, and responding to cybersecurity incidents in the country.

The Shanghai police database leak refers to the unauthorized disclosure of sensitive personal information and police case data from the Shanghai National Police Database, also known as the SHGA Database, in early July 2022. The leaked data, totaling over 23 terabytes, includes details of more than one billion Chinese residents, encompassing names, addresses, birthplaces, resident ID card numbers, phone numbers, photos, mobile phone numbers, and information on criminal cases. The data was made available for sale on the internet by an unidentified hacker, who demanded a price of 10 bitcoins.

References

  1. "Over 5 crore Bangladeshi citizens' personal data 'exposed' online". The Business Standard. 2023-07-08. Retrieved 2023-07-12.
  2. "Sound the alarm bell: Inside the leak of 50 million Bangladeshis' personal data". The Business Standard. 2023-07-08. Retrieved 2023-07-12.
  3. "Bangladesh government website leaks citizens' personal data: TechCrunch". The Financial Express. Retrieved 2023-07-12.
  4. 1 2 3 4 Franceschi-Bicchierai, Lorenzo (2023-07-10). "Bangladesh government takes down exposed citizens' data". TechCrunch. Retrieved 2023-07-12.
  5. Paganini, Pierluigi (2023-07-07). "Bangladesh government website leaked data of millions of citizens". Security Affairs. Retrieved 2023-07-12.
  6. এনআইডির ফাঁস হওয়া তথ্য মিলছে টেলিগ্রাম চ্যানেলে (dhakatribune.com)
  7. 1 2 "সরকারি ওয়েবসাইট থেকে ব্যক্তিগত তথ্য ফাঁসে কী ধরণের ঝুঁকিতে পড়বেন আপনি?". BBC News বাংলা (in Bengali). 2023-07-09. Retrieved 2023-07-12.
  8. "Site's weakness to blame for exposing citizens' data: Palak". The Business Standard. 2023-07-09. Retrieved 2023-07-12.
  9. Tech & Startup Desk (2023-07-09). "Personal data leak by govt. website: No scope to evade responsibility, says Palak". The Daily Star. Retrieved 2023-07-12.
  10. Ferdous, Raiyan. "Press Release July 08 2023: Alert from CIRT". BGD e-GOV CIRT | Bangladesh e-Government Computer Incident Response Team. Retrieved 2023-07-12.
  11. ডেস্ক, হাল ফ্যাশন. "ব্যক্তিগত তথ্য ফাঁস হলে যেসব ঝুঁকিতে পড়তে পারেন আপনি". Haalfashion (in Bengali). Retrieved 2023-07-12.
  12. "সাইবার সিকিউরিটি: বাংলাদেশে সরকারি দপ্তরের তথ্য ফাঁস কতটা বিপজ্জনক হয়ে উঠছে?". BBC News বাংলা (in Bengali). 2023-07-10. Retrieved 2023-07-12.
  13. হোসেন, বি এম মইনুল (2023-07-11). "বোঝা গেল ডিজিটাল নিরাপত্তাব্যবস্থা কতটা খারাপ". Prothomalo (in Bengali). Retrieved 2023-07-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.