Cybercrime , Fraud Management & Cybercrime , Geo Focus: Asia
Bangladeshi Officials Sold Data on Millions of Citizens
Hundreds of Officials Could Access Centralized Citizen Database Without OversightBangladeshi authorities are investigating two senior police personnel who used legitimate credentials for the national spy agency's database to collect data on millions of citizens and sell it to buyers on Telegram and other social channels.
See Also: Netskope FERPA Mapping Guide
The National Telecommunication Monitoring Center told the Ministry of Home Affairs in late April about the two officials extracting vast amounts of citizens' data from its centralized IDEA 2 database and selling them to buyers online.
Local news agency The Daily Star, which accessed the surveillance agency's letter, said the accused officials, both superintendents of police assigned to the Anti-Terrorism Unit and a Rapid Action Battalion unit known as Rab-6, logged in to the agency's National Intelligent Platform multiple times between March 25 and April 25, and exfiltrated citizens' information, including their national identification numbers, call detail records and other sensitive data.
The data theft took place not long after the domestic spy agency exposed a citizen database that stored virtually the entire population's personally identifiable details.
CloudDefense.AI's cybersecurity researcher Viktor Markopoulos, who discovered the exposed database, said it stored "citizens’ names, professions, parents’ names and more sensitive information such as phone numbers, exam details, vehicle registration numbers, IMEI numbers, passport details and biometric data, including fingerprints." Hackers later wiped all data from the repository and left a ransom note demanding a payment of 0.01 bitcoins.
Markopoulos also discovered another Bangladeshi government database in July last year that exposed the personal information of about 50 million citizens, including their birth registration records, phone numbers and national identity numbers (see: Bangladesh Government Portal Leaked 50M Citizens' Records).
The NTMC's National Intelligent Platform, which stores citizens' personal information along with details of their social profiles, call records and web activities, is accessible to about 500 officials from 42 central law enforcement agencies.
The senior police officials accessed the IDEA database, also known as the Identification System for Enhancing Access to Services. According to a World Bank document, the IDEA project aims to "establish a secure, accurate and reliable national ID system that serves as the basis for more efficient and transparent service delivery." The database has been used since 2017.
The two law enforcement officials sold the stolen data through 48 Telegram groups, 21 WhatsApp groups and 720 Facebook groups and pages with over 3.2 million members and followers, according to the agency letter.
Cybersecurity Law Strengthens Government Control
The government passed the Cyber Security Act in September to enhance federal response to electronic crimes and set up dedicated bodies, such as the National Cyber Security Agency and the National Cyber Security Council, to oversee the nation's security. The law, however, borrows many elements from the previous draconian Digital Security Act 2018 that gives agencies wide powers to arrest, detain and monitor citizens.
According to a U.S. State department report, instead of fortifying its digital defenses, the Bangladeshi government has used the cybersecurity law to strengthen its control and crack-down on political opponents, journalists and civil society activists.