Some user info of Nagad, other entities in public domain

User information of those seemingly having Nagad accounts was being found across several platforms, including Telegram bots, until last week, raising questions about personal data protection.

The government's Computer Incident Response Team (CIRT), a project of the ICT Division that responds to computer security incidents and activities in Bangladesh, has already alerted the NID authority and Nagad about the issue over two weeks ago. 

Mohammad Saiful Alam Khan, project director at CIRT, confirmed this to The Daily Star on March 3.

"Not only Nagad, we have also informed the NID authority about such incidents relating to some other entities," he said without revealing the names of the other entities.

From February 23-March 6, The Daily Star tested out three different sources – one Telegram bot, one human-operated Telegram channel and one website – and found that it was possible to extract personal information just with a mobile number.

All of them were live and active until March 6, when The Daily Star shared the evidence with Nagad. 

The bots offered full information for free, while the website provided half the information for free, and sought a monthly "subscription" fee of Tk 640 for the rest.

The information that was obtained within a second include NID number, name, date of birth, father's name, mother's name and address. They are unable to access, or output transaction data of customers.

The Telegram bot started operating in November 2023, while the channel was created on January 31, 2024. The website was created on January 27, 2024.

All of the Telegram channels had names with the word "Nagad" in it.

In a written response on March 7, Nagad said that "personal information of Nagad customers remains completely secure and free from all forms of risks."

In order to verify if only Nagad's user information was being returned, The Daily Star ran searches from February 23-March 6 with phone numbers not linked to Nagad, or phone numbers linked to other mobile financial services, and neither this specific bot nor this specific website returned any results.

Within the Telegram channels and bots, the user data requested was shared publicly, such that all those within those groups could have access to it.

It was impossible for The Daily Star to ascertain who ran the Telegram channel, bot or the website since all the information was masked.

The Telegram channel claims that it was reproducing the information from the "KYC" or "Know Your Customer" database.

Nagad denied this, calling it a "smear campaign."

"Nagad stores all personal identification of customers in encrypted format. However, it is disheartening to observe that vested interests are trying to take advantage of this situation by launching a smear campaign against Nagad across various platforms including social media," it said in its response to The Daily Star.

KYC is a step that customers must complete in order to have a functioning account. This is mandatory under Bangladesh Mobile Financial Services Regulations 2022

The step entails uploading scans of the NID of the customer, following which, the app extracts all relevant information from the card and auto-fills them into the customer's profile.

Although the KYC database also stores photos of the user, the bots and websites tested out by this newspaper were unable to return those.

"We have promptly taken effective measures in response even though there may not have been any data breach from our end.  Besides, we have also got our systems reviewed by security consultants to ensure no system vulnerability persists.  It needs to be mentioned that Nagad uses state-of-the-art technology and security infrastructure & framework to secure its system above all customers' information," said Nagad.

Nagad has over 80 million registered users making it one of the two leading mobile financial service operators in Bangladesh. Their daily transactions go over $111 million, according to a Nagad press release issued in August 2023.

This probable leak follows the heels of multiple similar leaks of citizen data last year. One such leak was from the government's land tax portal.

According to the National Cyber Security Index updated on January 31, 2024, Bangladesh scored a zero in the category of protection of personal data.

Bangladesh however scored highly in "cyber incident response" which judges how effectively breaches or leaks are managed. Its global ranking is 24.

All of the information found in these leaks is classified as personal data, according to the data protection bill, which upholds the right to privacy.

The bill was approved in principle by the cabinet, but it is yet to be passed as a law. It states that personal data cannot be collected or processed by anyone without the user's consent.

It acknowledges that data privacy is a right. It also legally puts the onus on the data collector to alert "data subjects" within 72 hours in case there is a personal data breach.

Violations of the law carry administrative fines.

The Bangladesh MFS Regulations 2022 protects confidentiality of customer transactions information, but mentions nothing about personal data.

In the case of traditional banks, however, customers' data are confidential and the banks cannot share the data except with relevant regulatory or law enforcement authorities as per the local laws, said Md Saimum Reza Talukder, a senior lecturer who teaches cyber law at BRAC University. Even then, they need authorisation from a court.

Around the world, failure to comply with data protection laws may bring serious consequences for businesses both in the short and long term. It not only results in legal and financial penalties and sanctions, but also diminishes a company's reputation, he said.

"For example, according to General Data Protection Regulation (GDPR) of the European Union, if client's data is infringed due to a company's failure to use appropriate technical measure, a temporary or definitive ban on data processing and a fine up to 20 million euros or 4 percent of the business's total annual worldwide turnover, whichever in higher, can be imposed," said Talukder.