Two police officers are facing punishment on charges of selling ‘extremely sensitive’ personal data of citizens, such as NID details and phone call records, to criminals online.
The officers include a superintendent of police at the Anti-Terrorism Unit and an assistant SP at the Rapid Action Battalion, tech news website TechCrunch has reported.
Major General Ziaul Ahsan, director general of National Telecommunication Monitoring Centre or NTMC, confirmed the incident.
The two police officials used to sell the information via Facebook and Telegram, he said.
The NTMC identified the leak and wrote to the home ministry for the two officials’ punishment. The ministry then asked the RAB and police to take steps against them, Ziaul said.
He said ATU and RAB-6’s access to the server was blocked after the incident. Officials of the two units are required to get information through their headquarters.
The NTMC is a government intelligence agency established under the home ministry to monitor all telecommunications traffic and intercept phone and web communications to detect and prevent threats to national security.
As part of its mission, the NTMC runs the National Intelligence Platform, or NIP, an internal government web portal that holds classified citizen information, like national identification details, cell phone registration and cell data records, criminal profiles and other information.
Asked how the data from NIP were taken out, Ziaul said: “We don’t have any weaknesses here. We can easily detect if someone takes out information from our system.”
Brigadier General Mohammad Baker, an NTMC director who signed the Apr 28 letter, told TechCrunch that there were a “number of Telegram channels,” adding that one of them was called BD CYBER GANG.
Baker also told TechCrunch that it appears that the two agents sent the information to the administrator of at least one Telegram group, who then attempted to sell it.
Organisations like Human Rights Watch and Freedom House have criticised the NTMC for lacking safeguards against abuses, both against free speech as well as privacy.
Last year, a security researcher found that the NTMC was leaking people’s personal information on an unsecured server. The leaked data included real-world names, phone numbers, email addresses, locations and exam results, according to Wired. Another Bangladeshi government agency, the Office of the Registrar General, Birth & Death Registration, also leaked citizens’ sensitive data last year, as TechCrunch reported at the time.
In both cases, the leaks were found by Viktor Markopoulos, a researcher who works at Bitcrack Cyber Security.