A Bangladeshi government website leaked the personal information of citizens, including full names, phone numbers, email addresses and national ID numbers.
Viktor Markopoulos, a researcher who works for Bitcrack Cyber Security, said he accidentally discovered the leak on June 27, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT). He said the leak includes data of millions of Bangladeshi citizens.
Bangladesh’s government took down the exposed data on Sunday, according to Markopoulos.
TechCrunch was able to verify that the leaked data is legitimate by using a portion to query a public search tool on the affected government website. By doing this, the website returned other data contained in the leaked database, such as the name of the person who applied to register, as well as — in some cases — the name of their parents. We attempted this with 10 different sets of data, which all returned correct data.
TechCrunch is not naming the government website because the data is still available online, according to Markopoulos, and we haven’t heard back from any of the Bangladeshi government organizations that we emailed asking for comment and alerting of the data exposure.
In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID to every citizen. The card is mandatory and gives citizens access to several services, such as getting a driver’s license, passport, buying and selling land, opening a bank account, and others.
Bangladesh’s CIRT, the government’s press office, its embassy in Washington, D.C. and its consulate in New York City did not respond to requests for comment.
Markopoulos said finding the data “was too easy.”
“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result,” he told TechCrunch, referring to SQL, a language designed for managing data in a database.
The exposure of email addresses, phone numbers and national ID card numbers is bad on its own, but Markopoulos said that having this type of information could also “be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification.”
Additional reporting by Jagmeet Singh.
Correction: A previous version of this story referred to the Bangladeshi e-Government Computer Incident Response Team with the acronym CERT. In fact, the correct acronym is CIRT. This story was updated after the leak was resolved.
Do you have information about similar leaks or data breaches? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email email@example.com. You can also contact TechCrunch via SecureDrop.