TDS Desk

Sensitive information from various government agencies has recently been leaked on the internet, exposing personal details of over 100,000 police officers. This includes the ID and secret password required to access a police database.

The leaked data also affects a range of organisations, including government service agencies, banks, financial institutions, transportation-related government bodies, regulatory agencies, and educational institutions. This is not the first instance of government data being compromised.

A cybersecurity volunteer group informed this reporter that 4,717 IDs and passwords for accessing the ‘admin panel’ (control system) of websites and databases belonging to various government agencies were leaked in the past year.

These leaks are being advertised for sale on criminal platforms, including on the Dark Web and Telegram. In some cases, the organisations affected have since blocked the leaked IDs and passwords.

Experts express concern that data leaks like these create opportunities for various types of crime, especially financial crimes such as identity theft, which is on the rise in Bangladesh. There have even been cases of bank loans being fraudulently taken out in people’s names without their knowledge.

Most of the leaked data consists of login details—URLs, IDs, and passwords—giving unauthorised individuals the ability to access government agency databases, provided the information is still active. This includes around 700,000 pieces of login data. In addition, the leak contains personal information of individuals, further escalating the potential risks.

Gazi Mahfuz ul Kabir, legal advisor at the Bangladesh Cyber and Legal Centre, told     that the leakage of such a vast amount of login and admin panel data is especially dangerous. With access to a single admin panel login, an intruder could potentially compromise an entire database.

He emphasised that without proper security measures, the country’s information management system could face significant threats.

POLICE INFORMATION ‘LEAKED’

One of the police databases affected by the recent leaks is the Crime Data Management System (CDMS), which holds at least 50 types of information, covering every aspect of a case from start to finish.

Case investigation officers, who are outside the CDMS control branch of the police headquarters, can access this data using specific IDs and passwords. Each ID provides details about the cases handled by the investigation officer.

A volunteer group specialising in cybersecurity showed this reporter that over 2,000 police CDMS login URLs, BP IDs or usernames, and passwords have been leaked in the past six to eight months.

This type of information leakage is referred to as ‘credential compromise.’ In total, 31,415 different types of data, including CDMS information and other police crime-related information, have been exposed.

These police database details are being advertised for sale across several Telegram channels. When contacted on one of these channels on November 24, the individuals claimed they could retrieve details about specific cases for a small fee. They also provided samples of information as evidence of their ability to access such data.

Before the fall of the Awami League government in July, the personal information of police officers was leaked. This breach exposed data on at least 108,416 police members, including identification or BP numbers, current ranks, places of work, dates of joining, mobile and government phone numbers, names of parents and spouses, national identity card numbers, birth dates, addresses, height, weight, and special identification marks.

Several officers were contacted to verify the authenticity of the leaked information. They confirmed that the details were indeed theirs and expressed concern over the exposure. One officer, contacted by    , stated that he was now retired.

The leak is believed to have originated from the police’s Personal Information Management System (PIMS). When contacted for an official statement, the police department did not respond.

However, an anonymous official told     that such breaches were often due to user-level negligence. The official emphasised that the police’s main database remains highly secure, and whenever leaked ID information is detected, it is promptly blocked to prevent further misuse.

MORE INFORMATION LEAKS

In the past six months, more than 200,000 pieces of information from various educational institutions have been leaked. The names of these educational institutions can be identified by searching through the leaked data.

Among the leaked information, 2,268 entries are admin panel login credentials. A cybersecurity volunteer group has pointed out that due to security lapses, it is possible to access the databases of several education boards in the country, which poses a significant risk to the privacy of students and faculty alike.

Meanwhile, an advertisement has appeared on a Telegram channel offering information about the location of customers of a mobile phone operator. A bot, which automatically provides such information, has also been launched.

To verify this, a number was submitted to the bot, and it revealed the address of a specific area in Dhaka where the user of the SIM card had lived for nine years.

However, after contacting the individual later, it was found that the user was not currently at the given location, although they had lived there in the past. This indicates that a group has stolen outdated location information from a database, further highlighting the risks associated with data breaches.

The volunteer group working on cybersecurity has also stated that due to similar security vulnerabilities, it is possible to access the databases of multiple banks, further expanding the scope of concern regarding the security of sensitive data in various sectors. These incidents underscore the growing need for improved cybersecurity measures across institutions to protect personal and sensitive information.

REASONS TO INCREASE DATA LEAKS

Cybersecurity experts are attributing the recent data leaks to various types of malware, including a Russian-made malware. One cybersecurity expert, who wished to remain anonymous, explained that once the Russian-made malware infiltrates a computer, it continues to gather information over time.

This malware is primarily spread through email attachments and pirated (counterfeit) software. The user typically remains unaware of the malware’s presence.

This reporter spoke with a group that privately monitors the country’s cybersecurity landscape about the issue. They revealed that both domestic and foreign hacker groups are exploiting this malware to take control of computers and harvest sensitive data.

Among all the data-stealing malware in circulation, one particular type has been identified as the most commonly used. The BGD e-Gov CIRT (the Bangladesh Government’s Computer Incident Response Team), an organisation responsible for monitoring and securing the country’s digital infrastructure, also issued a warning report on 8 October regarding such malware attacks. The report specifically highlighted threats posed by malware such as Lumma.

TARGETS OF DATA LEAKS

Experts in data security have pointed out that underdeveloped and developing countries, including Bangladesh, Indonesia, India, Sri Lanka, and Pakistan, are primary targets of data theft groups. This is primarily due to the widespread use of free, pirated, or outdated operating systems in these countries.

Additionally, many of these systems lack basic security measures, which creates a vulnerability that data theft groups are quick to exploit. As a result, these nations have experienced a significant number of data leaks.

Bangladesh has faced several such breaches in the past. For instance, in July of the previous year, the Registrar General’s Office and the Birth and Death Registry leaked personal information of millions of people.

In another case, on 5 October, 2023,     published a report titled ‘Smart Card Information Leaked, Available on Telegram Channel,’ revealing that information related to the smart National Identity Card (NID) of Bangladeshi citizens was being sold on a Telegram channel. By simply providing an NID number and a date of birth, anyone could access the personal details of individuals.

Various government institutions and departments in Bangladesh hold at least 40 types of information about citizens, while private institutions store up to 50 types. The NID database alone contains 32 types of personal information about more than 120 million citizens. This vast collection of sensitive data is an attractive target for cybercriminals.

BGD e-Gov CIRT, the agency responsible for monitoring the country’s cybersecurity risks, has highlighted the vulnerability of key state institutions, including law enforcement agencies.

According to a source at the organisation, many of these institutions remain at risk despite efforts to notify relevant authorities. While some organisations have acted promptly upon receiving these reports, many have remained silent, and there is a widespread lack of trained cybersecurity personnel.

This is contributing to an increasing risk of cyber threats. The situation is further exacerbated by the absence of effective laws and penalties for protecting and disclosing information.

Abu Sayed Md. Kamruzzaman, Director General of the National Cyber Security Agency, shared his concerns with this correspondent, stating, “We have repeatedly urged institutions to strengthen their cybersecurity systems; but unfortunately, most people do not want to prioritise cybersecurity.”

He emphasised that in order to address these challenges, both institutions and individuals must move beyond their indifference to cybersecurity. He stressed the need for organisations to establish clear cybersecurity policies and enforce them, ensuring that both individuals and institutions follow them diligently.