Election Commission to sit with partner agencies after 'leak' of citizens’ data

In the wake of reports of a leak, the Election Commission, under which the national ID cell operates, has decided to sit with the 171 agencies that use the national database to use information for verification.

The meeting may take place next week, EC Additional Secretary Ashok Kumar Debnath said on Sunday, after the National Identity Registration Wing’s Director General AKM Humayun Kabir said the database was secured.

In a press briefing, Humayun said they were working with the 171 organisations to determine the security level of their portals. “If we find any breach, we will terminate our contract with them,” he said.

Speaking to bdnews24.com later, Ashok said the date for the meeting will be fixed on Jul 13. “These organisations will be given instructions on security. We’ll also be able to find out what steps they are taking or if there is any negligence.”

Ashok said the organisations are not allowed to store data from the EC’s NID server.

Squadron Leader Saad Waiez Tanveer, director of the smart NID card project, said some of these organisations with temporary access to the server can save the data regularly.

“It’ll become a large volume of data then which we won’t be able to secure. This is why we’ve set the condition that they cannot save the data.”

He said IT security experts found vulnerability in one website after the leak was reported.

“We suspect the data was stored by our partner service. We’ll take steps to fix the issue permanently so that citizens' data is not put at risk for such activities of our partner services.”

Muhammad Ashraf Hossain, system manager of the NID wing, said they temporarily suspend access by organisations from where suspicious activities are noticed. “We’re more active from yesterday and some of the organisations are on our doubt list. We’re still checking them.”

State Minister for ICT Zunaid Ahmed Palak conceded that technical shortcomings in a web application registered under the http://gov.bd domain led to the leak of the personal data of millions of Bangladeshis online.

Without revealing the application's name for security reasons, Palak blamed the system administrators responsible for securing the database as per the data protection guidelines for the leak.

“The system had some shortcomings, which is why if anyone searched the database for any information, the whole database became public. It was not hacked or attacked by any cybercriminal,” the minister said on Sunday while speaking at a programme in Dhaka.

A US website, TechCrunch, first broke the news on Jul 6, revealing that a researcher for Bitcrack Cyber Security, a South Africa-based organisation, accidentally stumbled onto the trove of data on Jun 27 during a regular Google search.

TechCrunch also said the researcher, Viktor Markopoulos, immediately emailed the Bangladesh government’s e-Government Computer Incident Response Team, or CIRT, about the situation.

CIRT said it was investigating the issue, but described the leak as a “data breach”.

CIRT demonstrated “its professionalism and expertise by swiftly initiating a thorough investigation into the matter”, the agency said in a statement on Saturday.

The investigation will “make every effort to understand the extent and impact of the data breach”, CIRT said.