Government data exposed due to another cybersecurity breach

Sensitive information from various government agencies has been leaked online, exposing personal details of over 100,000 police officers, including their IDs and secret passwords for accessing police databases.

The leak has also affected multiple organizations, such as government service agencies, banks, financial institutions, transportation-related government bodies, regulatory agencies, and educational institutions. This is not the first instance of a government data breach.

A cybersecurity volunteer group reported that 4,717 IDs and passwords for accessing the ‘admin panel’ (control system) of websites and databases belonging to various government agencies were exposed in the past year.

The leaked data is being sold on criminal platforms like the Dark Web and Telegram. Some organizations have managed to block the leaked IDs and passwords, but experts warn that such leaks increase the risk of various crimes, particularly financial fraud, including rising identity theft in Bangladesh. There have even been reports of fraudulent loans taken out using stolen identities.

The majority of the leaked data consists of login credentials—URLs, IDs, and passwords—that grant unauthorized access to government agency databases, as long as the information remains active. Around 700,000 login details have been compromised, along with personal information that heightens the risk.

Gazi Mahfuz ul Kabir, legal advisor at the Bangladesh Cyber and Legal Centre, stated that the breach of such vast login and admin panel data is especially dangerous. An intruder could potentially access an entire database with a single admin panel login.

He emphasized that the country’s information management system faces significant threats without proper security measures. 

One of the affected police databases is the Crime Data Management System (CDMS), which contains at least 50 types of information related to cases, from start to finish. Investigation officers can access this data using specific IDs and passwords. In the past six to eight months, over 2,000 police CDMS login credentials have been leaked.

This type of breach, known as ‘credential compromise,’ has exposed 31,415 pieces of data, including police crime-related information. These details are being sold on Telegram channels, where individuals offer to retrieve case-specific data for a fee. 

In July, before the fall of the Awami League government, the personal information of over 108,000 police officers was leaked. This breach exposed sensitive data, such as identification numbers, ranks, workplace details, family information, and more. Some officers confirmed that the leaked information was accurate, expressing concern about the exposure.

The breach is believed to have originated from the police’s Personal Information Management System (PIMS). When asked for an official comment, the police department did not respond, although an anonymous official stated that user-level negligence often contributes to such breaches. The official assured that the main police database remains secure and that leaked IDs are quickly blocked to prevent misuse.

Over the past six months, more than 200,000 pieces of data from educational institutions have also been leaked, with 2,268 entries related to admin panel credentials. A cybersecurity volunteer group highlighted that security lapses have allowed unauthorized access to education board databases, endangering the privacy of students and faculty.

Additionally, an advertisement appeared on Telegram offering information about the location of mobile phone operator customers. A bot was also created to provide such information. After testing the bot, it revealed outdated location data of a user. This highlights the potential risks of data breaches involving outdated information.

The volunteer group noted that similar vulnerabilities allow access to multiple banks’ databases, further raising concerns about the security of sensitive data.

Cybersecurity experts believe that recent leaks are linked to malware, including Russian-made software. These types of malware are typically spread through email attachments or pirated software, often without the user’s knowledge. Both domestic and foreign hacker groups have exploited this malware to gain control of computers and steal sensitive data.

A particular malware, Lumma, was highlighted in an October report by the BGD e-Gov CIRT, which monitors Bangladesh’s digital infrastructure.

Experts argue that underdeveloped and developing countries, including Bangladesh, are prime targets for data theft due to widespread use of pirated or outdated operating systems and a lack of basic security measures. As a result, these countries face a higher frequency of data breaches.

Bangladesh has experienced several such incidents, including the 2023 leak of smart National Identity Card (NID) data, which was being sold on Telegram. By providing an NID number and date of birth, anyone could access the personal details of citizens.

BGD e-Gov CIRT has warned that key state institutions, including law enforcement agencies, remain vulnerable despite efforts to address the issue. Some organizations have acted swiftly, but many have been slow to respond, and there is a widespread shortage of trained cybersecurity personnel.

This lack of preparedness is contributing to the growing risk of cyber threats. Abu Sayed Md. Kamruzzaman, Director General of the National Cyber Security Agency, expressed his concerns, urging institutions to prioritize cybersecurity. He stressed the importance of establishing and enforcing clear cybersecurity policies to protect sensitive information.