bdnews24.com finds a file with hundreds of IDs and passwords for the government’s Personnel Management Information System available online
Published : 13 Jul 2023, 02:45 AM
A Bangladesh government department has left in the public domain a spreadsheet with login credentials and personal details of its nearly 1,000 staff members to access their profiles registered under the government’s Personnel Management Information System, or PMIS, until bdnews24.com accidentally discovered it.
The discovery of the sensitive information, which should have been shrouded with extreme secrecy, came at a time when the government’s inept cybersecurity system was called into question following the exposure of millions of citizens’ personal details through a loophole in the government’s birth registration website.
On Sunday, after accessing the web portal of Roads and Highways Department, or RHD (https://rhd.portal.gov.bd/), registered under the Bangladesh government’s domain, gov.bd, bdnews24.com stumbled onto a 26-page notice, which carried the unique ID number, name, merit order and date of birth of 990 staff members, including the top officials of the department.
Each notice page carried a note at the top, which advised the staff members to log in to their respective profiles under the PMIS system with their unique ID as username and date of birth as passkey.
It is a common notion in the IT industry that when initial login credentials are made for a large pool of people, they should use the passkey for once and change it immediately, preferably a combination of alphanumeric numbers and special characters.
Due to the strict nature of the Digital Security Act, bdnews24.com did not test whether a successful login can be made with those credentials.
However, on the very same day, a senior official of the department, who declined to disclose his identity due to the sensitive nature of the revelation, confirmed that to the best of his knowledge, a large number of the staff members had not changed their respective passkeys, which means anyone with the public spreadsheet could log into the PIMS database and can steal sensitive tender and government procurement information.
bdnews24.com reached out to the RHD Chief Engineer, Syed Moinul Hasan, about the list and sent the URL link of the notice upon his request.
Since Tuesday, the link to the notice was not accessible from the portal, which possibly means the notice was taken down from the department’s web portal.
When interviewed, some staff members of the department, seeking anonymity, said that some junior employees in the department's IT section usually upload and modify information on the portal.
The junior staff members have ‘admin’ status to access the portal's backend, along with some senior officials at the department.
Last week, a US-based tech news website revealed that a cybersecurity researcher contacted them, who gained access to millions of Bangladeshis' personal details and transaction histories from a website registered under the Bangladesh government’s domain name.
The news website, without naming the government website, also said the researcher stumbled onto the trove of data through a simple Google search while testing the security of one of his projects.
Three days later, Zunaid Ahmed Palak, the state minister for information and communication technology, said that technical shortcomings in a web application registered under the gov.bd domain led to the leak and blamed the system administrators responsible for securing the database as per the data protection guidelines for the leak.
On Tuesday, the state minister said the birth and death registration website was being investigated for the leakage, an allegation the registrar general of birth and death registration strongly denied.
THE 29 CRITICAL INFORMATION INFRASTRUCTURE
- The Prime Minister’s Office
- The President's Office
- Bangladesh Bank
- National Board of Revenue
- Immigration and Passport Department
- Bridges Division
- National Data Centre Company Ltd
- National Data Centre
- Bangladesh Computer Council
- Bangladesh Telecommunication Regulatory Commission
- Election Commission's National Identity Database
- Central Procurement Technical Unit
- Sonali Bank
- Agrani Bank
- Rupali Bank
- Janata Bank
- Rooppur Nuclear Power plant project
- Biman Bangladesh Airlines
- Immigration, Bangladesh Police
- Bangladesh Telecommunication Company Ltd
- Power Grid Company of Bangladesh
- Bangladesh Power Development Board
- Titas Gas Transmission and Distribution Company
- Central Depository Bangladesh
- Bangabandhu Satellite Company
- Bangladesh Securities and Stock Exchange Commission
- Civil Aviation Authority Bangladesh
- Registrar General's Office, birth and death registration
- Dhaka and Chattogram Stock Exchanges
IS POLICE DATABASE LOGIN INFO DARK WEB COMMODITIES FOR TRADE?
Senior officials of Bangladesh Police strongly denied a recent rumour that the login credentials of the police’s main crime database were being traded on the dark web following the theft of several credentials back in June.
Md Manjur Rahman, the Police Headquarters spokesperson, dismissed the rumour.
According to him, no one can access the database, officially styled as Crime Data Management System or CDMS, since the police authorities have already made sure to change the login credentials of everyone who had access to the database, from a sub-inspector to the inspector general of Bangladesh Police.
However, Manjur, additional inspector general (Media and PRO), conceded that some of his peers and superiors might lack adequate cybersecurity awareness and understanding of the consequences of exposing their login credentials to a third party.
“Some of them may have never bothered to change the password which had initially been made for them by our system admin. Some may have logged into the system in front of a civilian who memorised the details. These kinds of carelessness put our system at risk and make it vulnerable to outside threats,” he said.
LEAK, THEFT OF DATA COMMON PHENOMENON IN BANGLADESH
In February this year, Chattogram Metropolitan Police arrested a ring that issued authentic birth certificates for 5,000 people using fake information.
According to Chattogram police, by accessing the birth and death registration website’s backend, the ring registered the 5,000 illegal aliens as city citizens and was paid a massive amount in return.
In Bangladesh, an authentic birth certificate can open many doors for an undocumented foreign national, such as registration for a national ID and obtaining a passport, which would lead to opening of a bank account and access to all the facilities the Bangladesh government offers.
The Birth and Death Registration’s Registrar General, Rashedul Hasan, said the incident was neither hacking nor stealing; rather, the ring involved members of the unit he oversees.
“Some rogue staff within our ranks did it. The login credentials were neither hacked nor stolen. Some of our staff members did it to make quick money,” he said.
Four years ago, the police arrested some officials at the Bangladesh Election Commission working under the national ID project for issuing authentic national IDs for a good number of Rohingyas who are not Bangladeshi citizens.
At the time, the police said those officials, in exchange for large amounts of cash, used their colleagues' credentials based in different Upazilas to log into the national ID database and create authentic IDs with fake information.
[Writing in English by Adil Mahmood; editing by Biswadip Das]