Government mishandling of personal data: Where does it end?
The news of a handful of government employees selling the personal data of citizens—including National Identity (NID) card numbers and phone call details—has raised alarms in the last few days. On May 21, this newspaper reported that a few crooked government employees were stealing the sensitive personal data of citizens from the national intelligence servers and selling it in exchange for money in over 750 groups, pages, and profiles on different social media platforms.
In a world that makes sense, this news would have made a much bigger splash. Not here though. Here, we are too used to indifference. The National Telecommunication Monitoring Center (NTMC), the body that discovered the breach, did notify the Anti-Terrorism Unit (ATU), and RAB-6, the two government security units harbouring the accused officials, and the two units did assure that appropriate actions are being taken. But there's no guarantee that this will be the last of such incidents.
Indeed, the NTMC itself was accused of mishandling our data not too long ago. In November last year, WIRED, an American magazine, published a story on the NTMC leaking sensitive, private data of the citizens. WIRED claimed that NTMC was unknowingly publishing scores of personal data—phone numbers, names, blood groups, professions, parents' names—through an unsecure database linked to its system. WIRED reported that hackers had gained access to this unsecure database and proceeded to steal and sell the data.
NTMC denied the leak to the local media later but the proof WIRED presented in its investigation was quite comprehensive. The leak was discovered and confirmed by Viktor Markopoulos, a cybersecurity researcher who was the first to identify the earlier massive data leak from the Office of the Registrar General, Birth and Death Registration where over 50 million citizens' personal data remained exposed online for anyone to grab through a simple Google search.
Incidents like these are not uncommon in the country. With a poor record of cybersecurity, Bangladesh has been home to some truly eyebrow-raising breaches in recent years. In March last year, hackers stole over 100 gigabytes worth of personal data from Biman Bangladesh, the state carrier, and demanded $5 million in ransom.
In July, notorious hacker group ALPHV stole over 170 gigabytes of sensitive personal data—including employees' names, passport and NID information—from Bangladesh Krishi Bank's servers and demanded a large sum as ransom. In October of the same year, this newspaper reported that NID information of citizens was available for sale in a Telegram channel managed by unknown miscreants. Most notably, the entirety of the stolen funds from the 2016 Bangladesh Bank heist that made numerous international headlines, has still not been fully recovered.
Has anyone at the highest levels of the government stopped to think, for a moment, about the consequences of these massive data leaks? From identity theft to financial scam, small and large, the possibilities are dangerously endless. A Bangladeshi I know who resides in Finland only found out last week that his personal MFS account was terminated because apparently another account was opened with his same NID details the week before, and you can only have one account against each NID. The poor fellow—and his NID—never left Finland in the last two years.
A victim claimed that his NID was used to create an MFS account in his name, while he never even picked up his card from his hometown. Another person I know found out last month that there was an MFS account created in his name and phone number while he has no idea who or how.
This is just the tip of the ice-berg: the few cases that get disclosed, the few cases that get discussed and dissected. If one looks deeply into the issue, there's bound to be many more incidents like these. Who will take the blame for the many lapses in our cybersecurity? Why should we, tax-paying, law-abiding citizens, be okay with our data being sold off to scammers and hackers?
Is our government really that careless, or just completely incapable of even comprehending the graveness of the situation that they put us in? The government generally loves to boast about "Digital Bangladesh" and "Smart Bangladesh." Higher-ups of the government proudly boast our "robust" IT infrastructure, our data-centres, our booming freelancing economy and routinely incite tech giants to open local bases of operations. Are these incidents of data breach and data leaks not contradictory to the very image of the smart, digital, developed Bangladesh that they are desperately trying to portray or advertise?
In the end, the question that really matters is, where does this mayhem stop? With a lack of accountability, disciplinary actions, and in many cases any acknowledgement at all, the answer—with complete and total despair—is seemingly never.
Zarif Faiaz is a journalist at the Tech & Startup section of The Daily Star.
Views expressed in this article are the author's own.
We welcome your contributions and analysis of global events, and responses to our articles. To submit articles to Geopolitical Insights, please send an email to ramisa@thedailystar.net.
Follow The Daily Star Opinion on Facebook for the latest opinions, commentaries and analyses by experts and professionals. To contribute your article or letter to The Daily Star Opinion, see our guidelines for submission.
Comments