Smart Bangladesh, unsmart cybersecurity measures
With consistently poor data security and the resultant surge in cyberattacks in recent years, Bangladesh faces major cybersecurity challenges. The latest case of cybersecurity vulnerability was the leakage of sensitive personal data of individuals who have the smart National Identity (NID) cards on a Telegram channel. While the NID database contains personal information of more than 12 crore voters, 5.5 crore of them have Smart NID cards. The custodian of the NID system, the Election Commission (EC), has tried to wash its hands off the issue saying that the data breach occurred through one or some of the 174 institutions and organisations that have access to the NID server. But the fact remains that the EC is sharing sensitive personal data of citizens with various bodies that are not capable of ensuring their web security and integrity, resulting in this leakage.
Earlier in June this year, US-based online publisher of start-up and technology industry news TechCrunch revealed that the personal data of more than five crore Bangladeshi citizens had been exfiltrated and exposed from the website of the Office of the Registrar General, Birth and Death Registration (BDRIS). The exposed data included full names of the victims, their phone numbers, email addresses and NID numbers.
In the recent case, the entire profile of an individual could be obtained from the Telegram channel by just providing two inputs: the NID number and the date of birth.
The Telegram channel leakage raises questions about the integrity of the EC, which provides sensitive personal data of individuals to organisations with little ability to keep them secure. The BDRIS issue should have been a good enough red flag for the NID data custodian to limit access to information for high-risk organisations, like they have done after the Telegram issue surfaced.
What is even more concerning is that, despite identifying BDRIS as a source of data pilferage, no punishable action has yet been recommended against them by the investigating body, and the ICT Division closed the loop saying, "It is not acceptable that personal information of five million people was open to all. However, we cannot deny the claim either."
In other countries, such cases are not treated lightly, and responsible organisations are at least made accountable for their failure with penalties. For instance, the Integrated Health Information System of Singapore, in 2019, was fined $750,000 (around Tk 8 crore) for the incident of pilferage of personal data of its patients. Penalising organisations for such a breach is not about playing the blame game; rather, it is a negative reinforcement, holding them accountable for their negligence and making sure that they are more careful in the future. A simple slap on the wrist – as in the case of BDRIS – only goes to show how lightly this issue is being treated by the authorities here.
The problem with these data breaches means sensitive personal data of the citizens are now exposed – once data is leaked, even if it is taken down from public domain later, it is likely to remain with those nefarious bodies that have downloaded them – and this makes them even more vulnerable to crimes such as identity theft. Personal data could easily be manipulated by criminal groups to carry out fraudulent and criminal activities. What guarantee is there that your and my complete personal profiles are not lying at the disposal of some criminal gang – may be even in a far away, obscure location – for them to exploit and use at their will? And with the general election almost knocking at the door, what guarantee is there that criminals would not leverage these leaked data to manipulate the election results via identity theft?
We are moving towards Vision 2041 at a fast pace to become "Smart Bangladesh." As we move towards this grand vision, launch digital banking to bring the masses under the formal financial umbrella, increasingly leverage Internet of Things (IoT) for easier data exchange and to make life better, bridge the digital divide through digital innovation and sustainable solutions, and embrace 4IR, we are no longer in a position where we can wash our hands off responsibility by pointing fingers at others.
In the Telegram case, it was the EC's responsibility to make sure that only organisations with high security measures could access the personal data of citizens at its disposal, especially in the aftermath of the BDRIS incident. Leakage and exfiltration essentially pose a threat to national security, especially as we are digitalising more and more critical and sensitive services.
The Bangladesh Government's Computer Incident Response Team (BGD e-GOV CIRT), along with the cybercrime investigation team under the police's Counter-Terrorism and Transnational Crime (CTTC) unit and other agencies involved with combating cyberthreats, should be empowered with enhanced knowledge and adequate tools so that they are better capable of averting such risks and threats going forward. Since we are prioritising a smart future, we must also put in place adequate digital infrastructure to keep us safe in the smart world.
Tasneem Tayeb is a columnist for The Daily Star. Her X handle is @tasneem_tayeb
Views expressed in this article are the author's own.
Follow The Daily Star Opinion on Facebook for the latest opinions, commentaries and analyses by experts and professionals. To contribute your article or letter to The Daily Star Opinion, see our guidelines for submission.