Personal data up for sale online!
Some government employees are selling citizens' NID card and phone call details through hundreds of Facebook, Telegram, and WhatsApp groups, the National Telecommunication Monitoring Centre has found.
In a letter to the home ministry, the NTMC said private information was being sold through 21 WhatsApp, 48 Telegram, and 720 Facebook groups and pages that have 32 lakh members and followers.
For all latest news, follow The Daily Star's Google News channel. The letter sent on April 28 did not mention how many people's data have been sold.
The NTMC first detected unusually high numbers of logins to its National Intelligent Platform (NIP) by the IDs that belong to Farhana Yesmin, superintendent of police at the Anti-Terrorism Unit (ATU), and Tarek Aman Banna, assistant superintendent of police at Rab-6.
The two officers' login ID and password were used to gain access to the sensitive data that was given to members of messaging groups in exchange for money, said the letter.
Earlier this month and last month, police arrested two data entry operators of the IDEA 2 project on charges of selling private data.
The NTMC is legally authorised to monitor all electronic communications, in coordination with the telecommunications ministry, BTRC, law enforcement, and intelligence agencies.
Nearly 500 officials of 42 organisations can login to the NTMC's NIP and access people's private data and call detail records (CDR) for verification before rendering services and for investigations.
The CDRs sold on social media groups and messaging apps were taken from the NTMC server, said the letter.
The NTMC requested that the individuals responsible for the unauthorised use and illegal transfer of sensitive information be identified and proper action be taken against them.
Until then, "all user IDs of ATU and Rab-6 will remain suspended", read the letter. During the suspension, officers of the two organisations will collect information from the NTMC headquarters.
The data breach was first noticed in the login report from 8:57pm-9:27pm on April 25, the letter said. Between March 25 and April 25, the two police and Rab officers' IDs collected way more data than any other users did.
The NTMC enclosed four pages of screenshots of secure messaging app Telegram, one page of screenshots of login report by ATU and Rab-6 officers, two pages of summary on information accessed by ATU and Rab-6, and a 23-page report on a Telegram channels.
Meanwhile, the ATU in a letter to the NTMC on May 2, said, "In a primary investigation, the ATU found that constables Mrittyunjoy Chandra Roy of the cybercrime wing and Khairul Islam of the operations wing were involved in selling sensitive data, including call detail records, in exchange for money. The constables admitted to it during interrogation."
The constables were suspended on April 29, said the letter, adding that it had evidence of unauthorised data transfers through the login credentials of SP Farhana.
Rab Director General M Khurshid Hossain said the Rab-6 officer was closed and an investigation over the matter was going on. He added that constables who operate computers were probably responsible for the breach.
Mofiz Uddin Ahmed, deputy inspector general (admin) of ATU, said a departmental investigation was underway to find those who are involved. Action will be taken against them.
Neither Farhana nor Tarek responded to calls and text messages seeking comments.
Cybersecurity expert Sumon Ahmed Sabir told The Daily Star that one's personal data and NID details can be used to open bank accounts and avail loans based on forged documents. And that is only one of the crimes that can be committed through private data.
NTMC made some recommendations to prevent personal data theft. These include setting up a Network Operations Centre (NOC), Security Operations Centre (SOC), and auditing platform to secure the servers of NID and birth registration, centralising NID server management and overseeing connected organisations through a hub.
It also recommended replacing all API connections to national dataset servers with secure APIs and user role management, ensuring unique API credentials for each organisation, collecting mobile network operators' data exclusively from NTMC, ensuring multi-factor authentication for all systems, and integrating biometric matching in the NID API for the Prison Inmate Database System (PIDS).
The NTMC said it may provide technical support for ensuring NID and birth registration security. Along with BTRC, NTMC needs to be included as a focal point for direct communication with Facebook, WhatsApp, and YouTube.
Comments