A lack of proper monitoring of web applications dotted with technical weaknesses led to the leak of the data of around five crore citizens from Bangladesh's Office of the Registrar General, Birth and Death Registration website, a probe report said.
According to media reports, State Minister for ICT Zunaid Ahmed Palak said the findings pointed the finger at the lack of monitoring owing to limited manpower with the proper technical knowledge required.
Technical weakness of the web applications of the associated organisation was the main reason behind the leaking of a massive amount of citizen data, according to a probe report.
He said no log file was stored in the application system of the office concerned.
The probe report came on the heels of a high profile leak of citizen's data, including their full names, phone numbers, email addresses and National Identification (NID) numbers.
The alarm bell was first rung by Viktor Markopoulos, a Greek information security consultant who specialises in web applications.
Viktor, who accidentally discovered the leak on 27 June, said he informed the Bangladesh e-Government Computer Incident Response Team (CIRT) about the data breach.
Saying that finding the data was easy, Viktor Markopoulos, added that, "It just appeared as a Google result and I was not even intending on finding it. I was Googling an SQL [a language designed for managing data in a database] error and it just popped up as the second result."
The CIRT in a press release on 9 July said the data breach had been addressed.
The release made waves, especially among the Bangladeshi tech industry
"This is an alarming issue," said Fahim Mashroor, tech entrepreneur and the CEO of BD Jobs.
"They availed access to data of more than five crore citizens which is almost one-third of our population. All this information was taken from a government database, which exposes how vulnerable the state of IT security is in those offices," he added.
Speaking to The Business Standard at the time, former president of BASIS Syed Almas Kabir said, "We are not aware of identity theft so we don't take it very seriously. But it should bear in mind that identity theft can be executed in a very evil manner. Say for instance, through identity theft, I can even claim your identity. Starting tomorrow, I can open bank accounts under your name and do other things."
Describing the leak as "outright alarming", he said when it comes to cyber security, data privacy or identity theft, our awareness is not up to the mark.
"We have no understanding of data privacy whatsoever. A lot of people cannot differentiate between data security and data privacy. Securing data and having privacy over that data are two entirely different things."
