State Minister for Information and Communication Technology Zunaid Ahmed Palak said on Sunday (9 July) that the concerned government site's weakness was responsible for the data leak that exposed more than 5 crore Bangladeshi citizens' personal information.
"No government website has been hacked," he said adding, "Citizens' information was exposed due to the vulnerability of the website."
He made these statements to the media after attending the launching ceremony of Bangabandhu International Cyber Security Awareness Award 2023 in Agargaon.
"Our Computer Incident Response Team, BGD e-gov CIRT, investigated the matter after learning about it. We found that it cannot be called hacking. Because hacking is when someone breaks into a system and steals information. It was not that someone came into your house and stole something," Palak explained.
He continued without mentioning the name of the website, "We have found that the website that exposed the data did not have the minimum security certificate it should have obtained. Moreover, through the API which was created, anyone could see the data. This is why we did not find any particular cyber hackers, cybercriminals who have hacked or stolen information."
"What we found was that there were some technical weaknesses in the website, due to which, the data could be easily seen, and read and was practically open to all."
When asked who would be held responsible for the data leak, the state minister said, "The government has declared 29 government institutions as critical information infrastructure. The information was exposed due to the error of one of the institutions."
He added that efforts were underway to resolve the issue, and the people responsible for the leak will be brought to justice.
"We will recommend punishments for those whose negligence caused the data to be exposed," Palak said.
According to a report published by a US-based online news outlet TechCrunch, Viktor Markopoulos, a researcher working in Bitcrack Cyber Security, accidentally discovered the alarming leak on 27 June.
Mentioning that the leak includes personal data including their full names, phone numbers, email addresses and National Identification (NID) numbers, Viktor said he informed the Bangladesh e-Government Computer Incident Response Team (CIRT) about the data breach but got no response.
The Business Standard contacted Viktor – who shared several screenshots of the leaked information via email.
Victor said, "I am still analysing the data so I cannot be too sure yet but I can say with confidence that it is around 50 million people."
He said that proper system architecture, regular penetration tests, authentication and authorisation mechanisms, clear communication with the citizens and addressing the issue when such an incident occurs are the key to ensuring the protection of sensitive data.