User information of those seemingly having Nagad accounts was found across several platforms, including Telegram bots, until last week, raising questions about personal data protection, according to the Daily Star.
The government’s Computer Incident Response Team (CIRT), a project of the ICT Division that responds to computer security incidents and activities in Bangladesh, alerted the NID authority and Nagad about the issue over two weeks ago.
Mohammad Saiful Alam Khan, project director at CIRT, confirmed this to The Daily Star on March 3.
“Not only Nagad, we have also informed the NID authority about such incidents relating to some other entities,” he said without revealing the names of the other entities.
From February 23 to March 6, The Daily Star tested three different sources—one Telegram bot, one human-operated Telegram channel, and one website—and found that extracting personal information just with a mobile number was possible.
All of them were live and active until March 6, when The Daily Star shared the evidence with Nagad.
The bots offered complete information for free, while the website provided half the information for free and sought a monthly “subscription” fee of Tk 640 for the rest.
The information obtained within a second included the NID number, name, date of birth, father’s name, mother’s name, and address. They are unable to access or output customer transaction data.
The Telegram bot started operating in November 2023, while the channel was created on January 31, 2024. The website was created on January 27, 2024.
All of the Telegram channels had names with the word “Nagad” in it.
In a written response on March 7, Nagad said that “personal information of Nagad customers remains completely secure and free from all forms of risk.”
To verify if only Nagad’s user information was being returned, The Daily Star ran searches from February 23 to March 6 with phone numbers not linked to Nagad or phone numbers linked to other mobile financial services, and neither this specific bot nor this specific website returned any results.
Within the Telegram channels and bots, the user data requested was shared publicly so all those within those groups could access it.
The Daily Star couldn’t ascertain who ran the Telegram channel, bot, or the website since all the information was masked.
The Telegram channel claims that it was reproducing the information from the “KYC” or “Know Your Customer” database.
Nagad denied this, calling it a “smear campaign.”
“Nagad stores all customers’ identification in an encrypted format. However, it is disheartening to observe that vested interests are trying to take advantage of this situation by launching a smear campaign against Nagad across various platforms, including social media,” it said in its response to The Daily Star.
KYC is a step that customers must complete to have a functioning account. This is mandatory under Bangladesh Mobile Financial Services Regulations 2022
The step entails uploading scans of the customer’s NID; the app extracts all relevant information from the card and auto-fills them into the customer’s profile.
Although the KYC database also stores photos of the user, the bots and websites tested by this newspaper could not return those.
“We have promptly taken effective measures in response, even though there may not have been any data breach. Besides, we have also got our systems reviewed by security consultants to ensure no system vulnerability persists. It needs to be mentioned that Nagad uses state-of-the-art technology and security infrastructure & framework to secure its system above all customers’ information,” said Nagad.
Nagad has over 80 million registered users, making it one of Bangladesh’s two leading mobile financial service operators. Their daily transactions go over $111 million, according to a Nagad press release issued in August 2023.
This probable leak follows the heels of multiple similar leaks of citizen data last year. One such leak was from the government’s land tax portal.
According to the National Cyber Security Index updated on January 31, 2024, Bangladesh scored a zero in protecting personal data.
Bangladesh, however, scored highly in “cyber incident response,” which judges how effectively breaches or leaks are managed. Its global ranking is 24.
According to the data protection bill, all of the information found in these leaks is classified as personal data, which upholds the right to privacy.
The cabinet approved the bill in principle, but it is yet to be passed as a law. It states that anyone cannot collect or process personal data without the user’s consent.
It acknowledges that data privacy is a right. It also legally puts the onus on the data collector to alert “data subjects” within 72 hours in case of a personal data breach.
Violations of the law carry administrative fines.
The Bangladesh MFS Regulations 2022 protects the confidentiality of customer transaction information but mentions nothing about personal data.
In the case of traditional banks, however, customers’ data is confidential, and the banks cannot share the data except with relevant regulatory or law enforcement authorities as per the local laws, said Md Saimum Reza Talukder, a senior lecturer who teaches cyberlaw at BRAC University. Even then, they need authorisation from a court.
Around the world, failure to comply with data protection laws may have severe consequences for businesses in the short and long term. He said it not only results in legal and financial penalties and sanctions but also diminishes a company’s reputation.
“For example, according to the General Data Protection Regulation (GDPR) of the European Union, if client’s data is infringed upon due to a company’s failure to use appropriate technical measures, a temporary or definitive ban on data processing and a fine up to 20 million euros, or 4 percent of the business’s total annual worldwide turnover, whichever in higher, can be imposed,” said Talukder.