Through an unprotected database connected to its systems, the National Telecommunication Monitoring Centre (NTMC), an intelligence organisation in Bangladesh that gathers information on people's cell phone and internet usage, has been disclosing people's personal information for months.

Unidentified hackers attacked the database that was visible this past week, erasing all data from the system and making false claims to have taken the treasure trove of data, according to a WIRED report.

NTMC Director General Maj Gen Ziaul Ahsan confirmed to The Daily Star that there has been some data leaked but that it is not from the NTMC system. He also insisted that it is just sample, incorrect data.

"We have to give data to our vendors so that they can develop their products. We do not give them authentic data. It is some of that data which got leaked," he said, insisting that the leak is inconsequential.

Meanwhile, WIRED has verified a sample of real-world names, phone numbers, email addresses, locations, and exam results included in the data. The precise nature and intent of the gathered data, however, are unclear because some entries seem to be test data or incomplete, inaccurate, or test records. The NTMC and other officials in Bangladesh have not responded to requests for comment.

Security researcher Viktor Markopoulos of CloudDefense.AI, who found the unsecured database, said, "Even if it's not really something that sensitive, I wouldn't be expecting this to happen for any intelligence service. They still reveal the structure that they're using, or what exactly they are intercepting or plan to intercept, even though many of the data are test data."

Markopoulos connected the exposed database back to the NTMC and the login pages of a national intelligence platform run by the Bangladeshi government after he found it. Markopoulos thinks that a misconfiguration most likely led to the database being exposed. There are over 120 data indexes in the database, each containing a different set of logs. Names like "sat-phone," "sms," "birth registration," "pids_prisoners_list_search," "driving_licence_temp," and "Twitter" are among the indexes. A few hundred entries can be found in some of those files, but tens of thousands can be found in others.

The NTMC database contains an enormous quantity of metadata, which is the incredibly potent "who, what, how, and when" of every individual's communications. Call audio isn't disclosed, but call duration and possible caller numbers are displayed in the metadata. Metadata of this type can be widely applied to display trends in people's interactions and behaviour.

For instance, the "birth registration" log includes fields such as name (in English and Bengali), birthday, sex, birthplace, and mother's and father's names and nationalities, according to a sample of the data reviewed by WIRED. Another log, called "finance personal details," also includes people's names as well as cell phone numbers and bank account details, and lists an "amount" for the account type. National ID numbers are frequently included in the data structures, as are cell phone numbers and the names of mobile operators in Bangladesh.

One person contacted by WIRED confirmed that the email, mobile number, and a billing address listed belonged to them. The person says they are a subscriber of telecom firm BTCL, which is government-run and has some of their personal information, although it's unclear whether this is the source of the data that was leaked. Markopoulos found exam results listed in the data, including some that were taken in the late 1990s, that matched those listed on the Ministry of Education's website. Text messages sent to multiple numbers in the database were delivered, although one person replied saying they were not the person listed in the dataset. Another phone number is publicly listed as belonging to a Bangladeshi business. An encoded passport photo correlates with the alleged owner's public information (although they could not be reached for comment).

From a review of a sample of the exposed information, it is unclear why the data has been collected, where it has all been collected from, or what it is being used for. There is no indication that it relates to any wrongdoing.

Jeremiah Fowler, a security consultant and cofounder of data breach discovery firm Security Discovery, reviewed the exposed database and confirmed its links to the NTMC. Fowler, who regularly finds exposed servers and databases online, says the data being linked to the intelligence body is "probably one of the first that I have seen like this."

"The biggest thing I saw that was really dangerous was a bunch of IMEI numbers," he says, referring to the identifying code given to each individual cell phone. "With those, you can actually track the device or clone the device."

The NTMC has not acknowledged or responded to WIRED's questions about the leaked information, including those about its purpose and the amount that has been gathered. The press office of the government of Bangladesh and the Bangladesh High Commission in London also did not respond to requests for comment. Markopoulos reported the exposed information to Bangladesh's Computer Incident Response Team (CIRT) on November 8, and it acknowledged his message and thanked him for disclosing the "sensitive exposure." In an email to WIRED, the CIRT said it had "notified the issue" to the NTMC.

The database appeared to be offline ahead of the publication of this article. However, Markopoulos says that on November 12, the database was wiped and in its place appeared a ransom note by an unknown attacker or group of attackers. The note demanded payment of 0.01 bitcoin (around $360 at current exchange rates), or the "data will be publicly disclosed and deleted." Both Markopoulos and Fowler say this is common for exposed databases of this kind. Meanwhile, new entries have started appearing in the wiped database, Markopoulos says, and they include a "search log" index that may indicate the system is still in use.