THE cyberspace of Bangladesh has made the headlines for breaches on many occasions since the reserve theft of the Bangladesh Bank. The recent one took place in late October 2024 when user data of 5,000 people were leaked from web site that sold tickets for an Atif Aslam concert in Dhaka. All this shows that we have a long way to go to protect our digital landscape.
听
Data breach
CRIMINALS harvest data off various sources that range from mobile balance recharge points to cyberspace to gain insight into individuals, companies or a group of people by manipulating human minds and machines.
Confidential data meant for the social and the financial use of an individual or business entity becoming available in any form because of unauthorised access constitutes a data breach. The root causes of such breaches, based on what has so far happened in Bangladesh, can primarily be due to two factors 鈥 bureaucratic and technical.
听
Bureaucratic factors
Newspapers published a news report in early October 2024 on national identity data leak from national data repository and a case filed against 19 suspects, who included an adviser on information and communications technology to the prime minister Sheikh Hasina, who was deposed on August 5, 2024 and the minister for state of information and communications technology of the Awami League government, which was toppled the same day.
Another report published in the third week of May 2024 said that some government employees had sold national identity and phone call details on social media. A National Telecommunications Monitoring Centre investigation later found that the group had used login credentials of police officers to access the data and sell them.
The events iterate the traditional abuse of authority, lack of accountability, internal corruption in the administrative system and the negligence of the bureaucrats of citizen rights for personal gain. The lack of accountability contributes a lot to the failure to protect the cyberspace.
A group stole data of 12,000 Agrani Bank clients by hacking into the bank鈥檚 e-mail server. The data were sold on online black market in June 2024, as the media reported. The authorities, however, said that that hacking did not take place at the bank, but e-mail of several staff was compromised. This appears a way of the authorities to have avoided their responsibility.
Greek information security consultant Viktor Markopoulos in 2023 鈥榙etected a leak in a Bangladesh government web site鈥, revealing the personal data of 50 million Bangladeshis鈥 when he googled a database error. He is reported to have tried to reach someone responsible for the Bangladesh agency, the Computer Emergency Response Team in the case, but the agency did not respond. What Viktor Markopoulos bumped into indicates a lack of adequate measures to head off unauthorised access to confidential data.
听
Security inadequacy
THE committee that investigated the 2023 data leak from the Office of the Registrar General, Birth and Death Registration, finds the lack of skilled personnel and improper software development practice to have contributed to technical vulnerabilities. The investigation also showed that the agency had only one programmer and lacked skilled professionals, leading to poor software implementation and inadequate security measures for a critical digital infrastructure of that magnitude. In a recent data breach case, Titas Gas has claimed that the systems were secure as the servers were hosted at the National Data Centre under the management of the Bangladesh Computer Council. A Bangladesh Cyber Security Intelligence report on November 13, 2024, however, claimed that the root access to the firewall was sold on the dark web. The leak of national identity data and call data records can have severe consequences, resulting in various crimes such as identity theft, financial fraud and even threats to national security.
听
Preventive measures
The July-August uprising has showed how a corrupt administrative system evaluates the mass. People need to be aware of the confidentiality of their own data. The rushed digitalisation created a discrepancy between digital literacy among the people and digital services. As of January, 2025, a number of people did not have adequate knowledge of how to process services online and access personal computers. They, therefore,听 depend on local service points that help them with services such as visa applications, national identity cards, birth registration and correction which are all sensitive services. The points and booths where people do their mobile recharge, pay bills and carry out mobile financial services transactions could very well be hotspots of malicious groups to harvest sensitive data. People should be cautious about sharing their confidential data and use trusted computers to gain sensitive services online if they do not have access to a personal device.
Cybersecurity legislation must be implemented to protect rights, confidentiality and national data and clearly define what constitutes crimes in cyberspace rather than using such laws as repressive handles. Public entities entrusted with sensitive data must be held accountable for implementing proper security measures and ensuring protection. The Digital Security Act that the Cyber Security Act replaces seems more like a repressive device rather than an instrument to deter crimes in cyberspace.
听
Software testing
The practice of traditional 鈥榯est-case-based testing,鈥 which focuses only on user interface behaviour and some fixed paths to test applications, depends on client鈥檚 acceptance criteria and their automation. But regular security scrutiny remains absent. Modern applications are complex and only user interface and acceptance validation cannot resolve all the issues. Because, they are also heavily dependent on application programming interfaces to ensure flawless data sharing.
If testing is given enough time and scope to test these the programming interfaces along with basic security testing as laid out in the Open Web Application Security Project framework framework, simple issues could easily be resolved. More advanced issues will, however, remain for the vulnerability assessment and penetration testing phase, which costlier and is hard to exploit by average cyber criminals.
听
Forensics and incident response
DATA breach might occur in spite of rigorous security testing, calling for the use of digital forensics and incident response, which has so far remained a less discussed issue of cybersecurity in Bangladesh. Digital forensic investigations help the law enforcement agencies to find finding cybercriminals based on the traces that they leave behind. In incident response, they provide the affected entities with necessary action to head off further breaches and preserve artifacts for a further legal investigation.
The offensive, defensive and investigative cybersecurity practices are becoming more relevant in the fast-growing information technology industry that created a need for educated resources in highly specialised fields. As public entities and information technology companies in Bangladesh eventually take necessary measures to protect sensitive data from criminals, it will create a market demand for digital security professionals.
Frequent data breaches in Bangladesh warrant that the government should fortify cyberspace with proper, adequate measures. While rapidly going digital has brought about advancement, it has also exposed loopholes that threaten privacy, financial stability and national security. Such challenges call for a multi-pronged approach 鈥 strengthening technical security, fostering accountability of public agencies and empowering citizens with digital literacy initiatives. By prioritising cybersecurity as a national imperative, the government can mitigate risks, earn trust in digital systems and unlock the potential of the digital economy.
听
Ishtiaque Foysol is a software tester.