Bangladesh e-government website exposes personal data
Take action: SQL handling at it's best (or worst). Test, validate and sanitize SQL input, SQL result set responses and SQL error messages. Otherwise your database may end up being indexed by Google.
Learn More
The personal information of Bangladeshi citizens has been leaked through a government website, affecting millions of individuals, as discovered by security researchers who promptly the Bangladeshi e-Government Computer Incident Response Team (CERT).
The leak exposed
- full names,
- phone numbers,
- email addresses,
- national ID numbers,
Researchers confirmed the leak by using the public search tool on the affected government website, which returned accurate information, including the names of applicants and, in some cases, the names of their parents, across multiple data sets.
The number of affected individuals is not known, but the population of Bangladesh is over 160 miillion people so we can assume the exposure is in tens of millions. The numer of affected individuals was later confirmed to be estimated at 50 million.
In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID and provides access to various services such as obtaining a driver's license, passport, land transactions, and opening bank accounts.
The finding is purely by accident as the researcher just stumbled upon the result set response as they were searchig on Google for an SQL error and it just appeared as the second result.
The leaked data could be exploited within the web application to gain unauthorized access, manipulate or delete applications, and view Birth Registration Record Verification.
