Agencies storing citizens' data are failing them

While the government actively collects citizens' data, promising digitisation and improved services, its ability to protect that data remains questionable, to say the least. Following multiple data breaches and website hacks last year, new batches of sensitive data and NID details have again been leaked and used for fraudulent activities. According to a report by this daily, the Cyber Crime Investigation Department of Dhaka Metropolitan Police has apprehended a group of individuals running cloned government websites. These fake websites collected/stored personal data and used it to sell fabricated documents, including land rent certificates, tax identification numbers, employment certificates, expat health certificates, tax certificates, bank statements, etc.

This is not the first time that the NID server, containing data of nearly 12 crore individuals, has been compromised from a government site. It mirrors incidents reported by TechCrunch last year, where hackers gained access to citizens' data through another government website. It was then claimed that appropriate action would be taken, but to no avail so far. Reportedly, about 176 government organisations have access to the central NID server. However, no tangible efforts seem to be in place to prevent any breach from this network.

This has already resulted in breaches of at least 25 websites across government and private institutions in 2023 alone. The leaked data included 40,000 records from the central bank, login credentials of police officers, revenue collection data of government hospitals, land tax details and, more disturbingly, very personal information including NID details of at least 50 million Bangladeshis from the NTMC database—much of it collected without their consent.

This is a flagrant violation of citizens' privacy rights, exposing them to various risks of exploitation. The government has been using the issue of cyber security to impose repressive laws over the years but, as evident by the repeated data breaches, it is proving to be incapable of protecting the data of citizens. We must ask then, how justified is it to make personal data collection a mandatory criterion for providing national services, only to make those vulnerable to hackers? We urge the authorities to take stern actions to prevent this scenario.