Who watches the watchmen?
On June 27, it took a foreigner to point out that millions of Bangladeshi citizens' personal information was left exposed on the internet due to a security leak on the website of the Office of the Registrar General, Birth & Death Registration (BDRIS). At least 50 million citizens' personal data – including full names, birth dates, addresses, parents' and grandparents' names, phone numbers, and more – were affected by the security breach.
Viktor Markopoulos, the cybersecurity expert who spotted the leak, tried to contact the Bangladesh government's e-Government Computer Incident Response Team (BGD e-GOV CIRT) repeatedly but no one responded. It was only after the news was widely circulated in the local media that CIRT acknowledged the breach and took steps to take down the exposed data.
A somewhat similar issue happened when Bangladesh Krishi Bank was hit with ransomware. On July 11, this newspaper reported that the notorious ransomware group ALPHV, also known as BlackCat, hacked into Bangladesh Krishi Bank and stole over 170GB of sensitive personal information, including employees' names, passport and NID information. ALPHV claimed in their blog that they offered the Bangladesh Krishi Bank authorities a window to negotiate, but no one responded or "was bothered."
It is one thing to become a direct victim of cyberattacks. But when weak cyber infrastructures leave your data exposed, and when you fail to even acknowledge or spot an attack, let alone fight it, they go on to highlight the extent of carelessness the government shows when handling the citizens' personal, sensitive information.
As citizens, we entrust the government with our personal information based on the belief and goodwill that the government will keep it safe and not misuse it – nor let it be misused – in any way. But recent events showcase the government's utter failure in safeguarding citizens' personal and sensitive data that may easily end up in the wrong hands. Even the meek responses to the cyberattacks showcase how the government authorities fail to even comprehend the dangers of these security breaches.
That brings us to the burning question: what happens when our data is out there for the world to grab? For starters, your leaked personal data exposes you to the growing dangers of internet fraud and scams. It becomes easy for you to become a victim of identity theft. A hacker – or anyone, actually – can easily steal your entire identity, engage in a scam or fraud under your name, and get away with it. With your sensitive personal information available on a mere Google search, hackers may even gain access to your bank accounts, social media handles, emails, and more.
The police, too, fail to protect our data. In fact, in at least three of these cases, the police themselves were the victim.
Hackers often sell your data to other hackers who may have a separate agenda or motivation. These agendas are almost never personal. International groups may gain access to your data – either by hacking directly or buying off of other hackers – and engage in full-scale cyber wars with rival groups or countries. Your data, in those cases, becomes collateral.
ALPHV, for example, declared on July 7 that if Bangladesh Krishi Bank did not meet the ransom demand, they would start extracting funds from the bank. The group even issued a warning to all stakeholders and investors to pull their funds from the bank within seven days of declaring the warning.
These events can cause serious financial loss and can be extremely difficult to fight back against for all sorts of legal issues. In a country like Bangladesh, where frauds and scams like these are not well-defined in terms of legal proceedings, recovering your identity or funds can prove to be even more gruelling.
Surely, our safeguards must know about these dangers. The question, then, arises: why did they fail to protect our data? How did even the first responders of cyber threats miss out on these security breaches?
Consider BGD e-GOV CIRT, for example. Its website says, "Bangladesh Government's e-Government Computer Incident Response Team (BGD e-GOV CIRT), serving as the National CIRT of Bangladesh (N-CERT) with responsibilities including but not limited to receiving, reviewing, and responding to computer security incidents and activities in the territory of Bangladesh as well as keeping close collaboration with international partners to secure the cyberspace of Bangladesh." Clearly, CIRT is responsible for preventing these attacks, or at least spotting these security breaches and responding to them. And yet, when a reporter of this newspaper first contacted CIRT about the BDRIS leak, CIRT's project director claimed they were not aware of any such attacks.
However, somewhat in CIRT's defence, it did issue a notice on June 27, advising the government, military, and financial institutions to stay alert and implement essential security measures to safeguard against possible cyberattacks. CIRT mentioned that several sectors including banks and critical information infrastructures were at high risk of being targeted by cyberattacks.
The police, too, fail to protect our data. In fact, in at least three of these cases, the police themselves were the victim. On March 15, a group named New World Hacktivists released 84 police log in credentials. Among these, 40 credentials belonged to officers-in-charge of various police stations located in Dhaka. On March 17, a hacker group called the Indian Cyber Force leaked information of about 270,000 Bangladeshi citizens from the Cox's Bazar police's server. The Khulna Metropolitan Police were also attacked by Indian hackers on March 28.
The cases go on. Biman Bangladesh airlines, the national flag carrier, was recently attacked by ransomware, although Biman authorities insist that "no data has been stolen." The Bangladesh Railway website was also a victim of a DDoS (Distributed Denial of Service) attack in recent times, but reportedly no data was stolen. Bangladesh Army, Bangladesh Air Force – all have fallen victim to cyberattacks in one form or another in recent times.
Our government, just like any government around the world, routinely collects sensitive personal data from the citizens for various national purposes. Citizens also willingly give these data to the government, often for essential services, in the goodwill and confidence that the government will not mishandle them. It's a promise, a trusted bond bound by a social contract.
That promise has not been kept. And when our sentinels betray us, whom do we turn to?
Zarif Faiaz is a journalist at the Tech & Startup section of The Daily Star.