Bangladesh government fixes website that leaked personal data of 50 million citizens

A security researcher accidentally discovered a publicly-accessible database containing leaked information on millions of Bangladeshi citizens, including their names, phone numbers, birth certificates and national ID numbers.

Viktor Markopoulos, an information security consultant at South Africa-based Bitcrack Cyber Security, told BBC News that he came across an insecure government web portal in June while searching Google for an unrelated project.

Markopoulos immediately notified Bangladeshi authorities, who removed the leaked data on Sunday — almost two weeks after it was discovered.

In a press release issued by the Bangladeshi Computer Incident Response Team (CIRT) on Saturday, the authorities stated that they “took immediate action” to address the data breach and initiated “a thorough investigation into the matter.”

Bangladeshi information and technology minister Zunaid Ahmed told local media that the data was exposed due to security weaknesses of a website, not a cyberattack.

According to Bangladeshi security official Humayun Kabir, the data leak occurred due to a vulnerability in the IT infrastructure of one of the 171 partner organizations that utilize data from the Bangladesh Election Commission’s servers.

“The leak was the result of one of these organizations storing personal data it was not supposed to keep,” he said in an interview with local media.

Bangladeshi news website DigiBangla said that the data was leaked from the country’s Birth and Death Registration Information System. As per the report submitted by the organization to the court, no leaked data was stolen or damaged, according to DigiBangla.