Sensitive public data breach detected, 2 police officers' IDs used

The authorities have detected a breach of sensitive public data using the user IDs of two police officers through the system of National Telecommunication Monitoring Centre (NTMC).

The Monitoring Centre under the Ministry of Home Affairs found that national identities, mobile call data records and other information obtained from the system were transferred using the social media platform "Telegram" in exchange for money, according to an official letter signed by Brigadier General Mohammad Baker on behalf of NTMC Director General Major General Ziaul Ahsan.

The Business Standard has obtained a copy of the letter, which, however, did not clarify how and to whom the classified data was transferred through Telegram, an encrypted app.

The two police officers, whose user IDs were used in the data breach, are Farhana Yesmin, police super at the Anti-Terrorism Unit (ATU), and Tareq Aman Banna, assistant superintendent of police at the Rapid Action Battalion-6.

In the letter to the home ministry's public security secretary, the NTMC said by analysing system logs of its National Intelligent Platform it detected that sensitive information is being transferred using Telegram through the two user IDs.

The NTMC said it analysed log reports of 8:57pm and 21:27pm on 25 April and detected the breach. The Monitoring Centre said analysing one-month data (25 March–25 April of 2024) it detected excessive collections of data using the two IDs compared to others.

The NTMC also attached four pages of Telegram app conversation screenshots, one page of system log reports, two pages of a summary of the data collection and 23 pages of BD Cyber Gang channel report with the letter.

The Monitoring Centre requested the ministry to issue an order to take action against the culprits after detecting them through a proper investigation into unauthorised use and illegal transfer of sensitive data.

The NTMC also informed the home ministry that access of all user IDs of the Anti-Terrorism Unit and the RAB-6 to its system will remain suspended until the end of the investigation.

The Monitoring Centre asked the two organisations to collect information through their respective headquarters during the suspension period.

The letter mentioned that the NTMC is an important and sensitive organisation under the home ministry which regulates under section 97(Ka) of the Bangladesh Telecommunication Act 2006 (amended) and is lawfully monitoring all the telecommunications mediums for state needs. 

Various systems including the National Intelligent Platform have been developed by the NTMC to provide necessary information support to various law enforcement, intelligence and investigation agencies, it reads. 

Law enforcement, intelligence and investigation agencies use the user IDs and passwords provided by the NTMC to retrieve sensitive data from the system required for their investigations, it also reads.

"In view of the sensitivity of the confidential data, receiving, transferring and disclosing all such information without the need for investigation is a punishable offence," states the letter.

The NTMC also enclosed four pages of Telegram app conversation screenshots, one page of system log reports, two pages of a summary of the data collection and 23 pages of BD Cyber Gang channel report with the letter.

When asked about the leak of the sensitive data, Farhana Yesmin told TBS, "Someone else leaked the data using her identification number and he has already been sacked.  "I'm not aware of any home ministry probe yet," she added.

Tarek Aman Banna told TBS that he is not aware of any such allegation. "I'm on leave now," he added.

Leakage of personal data alarming: TIB

The Transparency International Bangladesh (TIB) on Tuesday (21 May) expressed deep concern over the theft and online sale of citizens' confidential and sensitive information from the NTMC. 

"This breach violates constitutional commitments to safeguard personal data," it said in a press statement. 

TIB urged swift enactment of the Personal Data Protection Act, 2024, and demanded severe penalties for those responsible.

TIB Executive Director Iftekharuzzaman said, "Repeated incidents of theft involving personal and sensitive information like national identity cards and call data records are not new. Previously, Bangladeshi citizens experienced thefts of various confidential documents such as birth certificates and national identity cards at different times. Recent events have seen a surge in such breaches, with personal data being pilfered by law enforcement organisations tasked with safeguarding it. The process and technical infrastructure used by the government to protect citizens' sensitive information raises questions regarding its integrity and capability."