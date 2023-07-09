The Bangladesh government has launched an investigation into a report that the personal information of millions of citizens have been leaked from a government website.
The full names, telephone numbers, email addresses, and national ID numbers of Bangladeshi citizens were included in the leak, TechCrunch, a US-based information technology news agency.
The Bangladeshi Government Computer Incident Response Team, or BGD e-GOV CIRT, however, described the leak as a “data breach”
CIRT demonstrated “its professionalism and expertise by swiftly initiating a thorough investigation into the matter”, the agency said in a statement on Saturday.
The investigation will “make every effort to understand the extent and impact of the data breach”, CIRT said.
“It is crucial for all stakeholders involved to collaborate and support the CIRT's efforts to rectify the situation, implement necessary security measures, and prevent similar incidents in the future”, it added.
The leak was discovered by a cybersecurity researcher through a regular Google search, according to TechCrunch.
Viktor Markopoulos, a researcher for Bitcrack Cyber Security, told TechCrunch he accidentally discovered the leak on Jun 27 and informed the Bangladesh government of the situation through CIRT.
He warned that the data could “be used in the web application to access, modify, and/or delete the applications and view the Birth Registration Record Verification".
TechCrunch said they used 10 different sets of data on the public search tool of the government website and were able to verify the data. The website returned other data in the leaked database, such as the name of the person who applied to register and, in some cases, the name of their parents.
The publication declined to name the government website as the data is still available online.
“We are looking into it,” said CIRT Project Director Saiful Alam Khan when asked about the incident on Saturday. ”
CIRT also suggested some measures to ensure security as well as data protection in cyberspace in the statement.
The CIRT suggested measures are:
∙ Enhance your capability to combat growing cyber threats.
∙ Ensure vital services such as DNS, NTP as well as network middleboxes are securely configured and are not exposed on the internet.
∙ Ensure proper Information and Cyber Security awareness training among all the employees, customers, and consumers to report issues, if they observe any anomalies and/ or suspicious activities.
∙ Ensure strict network and user activity monitoring 24/7.
∙ Conduct Vulnerability Assessment and Penetration Testing (VAPT) for all the systems regularly.
∙ Configure and harden web applications as per OWASP guidelines.