Bangladesh’s digital infrastructure and cybersecurity are facing significant challenges, leading to concerns about its safety and vulnerability. As the country approaches a crucial parliamentary election, there has been a worrisome increase in data leaks and cyberattacks. A recent incident involved a suspected leak of personal data belonging to 50 million citizens from the Office of the Registrar General, Birth and Death Registration (BDRIS). This breach exposed sensitive information such as National ID numbers, names, addresses, dates of birth and parents’ details, making it easy for malicious actors to create counterfeit NIDs. This poses a serious risk of influencing the electoral system, with the potential for misuse of this data by either the ruling party or other local as well as foreign entities. As a result, urgent measures are required to address the prevailing vulnerabilities and safeguard the integrity of Bangladesh’s digital arena.
Viktor Markopoulos, a researcher at Bitcrack Cyber Security, an international cybersecurity solution provider based in South Africa, discovered that the BDRIS website was unprotected and had leaked various personal details of numerous citizens. Despite contacting the Bangladesh e-Government Computer Incident Response Team (BGD e-GOV CIRT), Markopoulos received no response.
Interestingly, on the official website of BGD e-GOV CIRT, prominent figures such as the prime minister herself, the IT adviser to the prime minister, the state minister of information technology and the BTRC Chairman are all displayed as the team in charge, complete with their pictures. However, attempts by US-based online newspaper TechCrunch to seek information regarding the leak from the government’s press office, the Bangladesh embassy in Washington DC, and the Bangladesh consulate in New York City remained unanswered.
This incident has exposed significant vulnerabilities in the digital security of Bangladesh government. The lack of effective cybersecurity measures and poor management practices have alarmingly intensified data leaks and cyberattacks on both citizens and government databases in the country.
According to Markopoulos’ statement to TechCrunch, the leaked information surfaced automatically during a Google search without any intentional effort to seek it. Specifically, it emerged as the second result when searching for an SQL error, indicating a vulnerability in the website’s programming language used for database queries. With this personal data now accessible through web applications, there is a heightened potential for unauthorised access, modifications, or deletions of birth registration records. Consequently, the accuracy and transparency of the data are in question, amplifying concerns regarding its misuse and potential implications for the individuals affected.
Inadequate IT infrastructure and vulnerable digital security persist as pressing issues in the country. Recently, there have been instances of “Distributed Denial-of-Service” (DDoS) attacks, where poor security measures have allowed servers to be flooded with excessive internet traffic, resulting in the disruption of connected online services and sites. Several prominent institutions have also fallen victim to cyberattacks. The Bangladesh Krishi Bank’s servers are currently under attack by ransomware, and in March, hackers demanded $5 million in ransom from Biman Bangladesh Airlines while holding 100GB of data hostage. On March 15, a group called New World Hacktivists leaked 84 police login credentials. Just two days later, another hacking group called the Indian Cyber Force leaked information of about 270,000 Bangladeshi citizens from the Cox’s Bazar police’s server. A couple of years ago, taxpayers’ information was also compromised in a separate incident. Last but not least is the unprecedented Bangladesh Bank reserve theft in 2016, on which a Hollywood documentary titled Billion Dollar Heist has been made, due to come out next month.
On July 12, vulnerabilities were identified in the Election Commission’s NID webserver, Posts and Telecommunications Division, and the telecommunications regulator BTRC website, as they lacked adequate SSL security. Moreover, many government sites, including the one-stop site for government services, utilise certifications from non-approved authorities, deviating from root certificate issuing authorities. Entry into these sites from secured computers raises security concerns. These issues underscore the critical need for comprehensive and robust measures to strengthen the country’s digital security infrastructure and safeguard against potential threats.
According to Victor Markopoulos and TechCrunch’s findings, critical security measures such as the firewall and VPN on the database frontend and backend are not functioning properly, a matter that is deemed completely unacceptable. Although the NID server was claimed to pose no security risk after the incident, numerous other institutions in the country perform e-KYC processes that involve handling personal confidential information. Consequently, sensitive data such as birth registration records, driving licences, passports, land sales, bank account openings, mobile SIM purchases and registrations, etc remains vulnerable.
Moreover, the architecture of key components such as the application, front database, back NID database, architecture bus, and API communication flow is exposed in the Bangladesh National Digital Architecture site, which is entirely unacceptable given the sensitive and confidential nature of the information involved.
The author has personally gathered insights from departmental app managers, which reveal that many of the government’s departmental apps, such as those for birth registration, the National Board of Revenue (NBR), passport department, as well as “scheme apps” like e-KYC for banking and telecom, are outdated and not regularly updated. Moreover, sufficient funds are not allocated for the necessary upgrades, leading to the usage of outdated software versions plagued with critical security threats. This neglect of firmware updates and software upgrades has resulted in numerous security breaches and leaks. Firewalls between “Local DB” and “Central DB” and VPN connections of applications suffer from outdated and weak security measures. The front database and central database are accessed by making “API calls” by exploiting coding leaks in the app server and web server. Such subpar IT management practices within a country are indeed deeply disappointing from a security standpoint.
This vulnerability can be attributed to a lack of awareness and negligence, as well as the absence of regular evaluation of website security systems. The absence of a clear cybersecurity policy and a perception of cybersecurity as an additional cost further contribute to the weak state of affairs. Government websites are often developed inexpensively and haphazardly, with novices handling the site application instead of skilled programmers, resulting in easily exploitable vulnerabilities susceptible to hacking.
Moreover, a recurring pattern of duplicating existing sites to create new ones, often relying on open-source tools like WordPress, leads to a lack of robust security measures. Regular maintenance and multiple layers of security are not prioritised, and e-audits are rarely conducted. The absence of a comprehensive and universally enforced cybersecurity policy compounds the issue.
This overall lack of cybersecurity awareness among government institutions in Bangladesh makes them susceptible to cyberattacks and technical weaknesses. The repercussions of data breaches can be substantial, resulting in financial and social security losses. When data falls into the hands of hackers, it can be exploited for illegal activities, including unauthorised financial transactions, illegal banking, usage on Dark Web, SIM registration fraud, OTP message theft, mobile payment fraud, e-ticket fraud, SMS-based service fraud, virtual electronic identity creation, fake bookings, e-governance and e-nothi fraud, and money laundering, posing significant threats to security and privacy. The inadequate and risky management of the IT sector reflects poorly on a government with a digital reputation.
First Published: Jul 26, 2023, The Daily Star
