Bangladesh government citizen data leak

In July 2023, a misconfigured website operated by Bangladesh's Office of the Registrar General, Birth & Death Registration was found to be leaking the personal data of more than 50 million citizens — one of the largest exposures of government-held PII in South Asian history. The data was not stolen by a sophisticated intruder; it was simply sitting in plain view, indexable by Google.

What happened

On 27 June 2023, Viktor Markopoulos, a researcher at South Africa-based Bitcrack Cyber Security, was troubleshooting an SQL error and pasted it into Google. The exposed Bangladeshi database "just appeared" as the second search result. As Markopoulos put it, finding the data "was too easy."

The leaking endpoint belonged to a Bangladeshi government website that drew on the national identity (NID) ecosystem. The exposed fields included citizens' full names, addresses, phone numbers, email addresses and national ID numbers — the exact combination needed for identity theft and financial fraud.

TechCrunch, which verified and disclosed the leak on 7 July 2023, deliberately withheld the website's name because the data was still publicly accessible at the time of publication. Bangladesh's national Computer Incident Response Team (CIRT) and government press office did not respond to requests for comment before publication.

Impact

The personal records of over 50 million Bangladeshi citizens were exposed — a figure repeated across Bangladeshi and international outlets.
Because the data tied directly to the NID system, exposed individuals faced lasting risk of identity theft, SIM-swap fraud and impersonation, with no ability to "rotate" an immutable national ID number.
The leak was an infrastructure and configuration failure, not a breach of a hardened system — making it both embarrassing and, in principle, entirely preventable.

Government response

The site was taken offline around 10 July 2023. Zunaid Ahmed Palak, then State Minister for Information and Communication Technology, publicly acknowledged the exposure but insisted it "was not the result of hacking," attributing it instead to "security weaknesses present in the websites." The government launched an inquiry into the scope of the exposure and which partner organisation was responsible, given that scores of agencies share access to citizen data.

Why it matters

Bangladesh had digitised vast amounts of citizen data without a mature data-protection law or uniform security baseline across the 170-plus organisations that tap the NID database. This incident — discovered by chance rather than by an attacker — exposed how a single misconfigured partner site can compromise the data of an entire population. It became the reference case in Bangladesh's debate over a national Data Protection Act and stricter controls on third-party access to government identity systems.

Timeline

June 27, 2023

Bitcrack Cyber Security researcher Viktor Markopoulos accidentally finds the exposed database as the second result of a Google search for an SQL error.

July 7, 2023

TechCrunch publicly reports the leak without naming the site, because the data is still live online.

July 8, 2023

Bangladeshi media estimate that the personal records of more than 50 million citizens are exposed.

July 10, 2023

The government takes the exposed website offline; ICT State Minister Zunaid Ahmed Palak attributes the incident to website security weaknesses rather than hacking.

October 1, 2023

Leaked NID data subsequently surfaces in Telegram channels, fuelling identity-theft and fraud concerns.

Sources

techcrunch.comhttps://techcrunch.com/2023/07/07/bangladesh-government-website-leaks-citizens-personal-data/

techcrunch.comhttps://techcrunch.com/2023/07/10/bangladesh-government-takes-down-exposed-citizens-data/

en.wikipedia.orghttps://en.wikipedia.org/wiki/2023_Bangladesh_Government_website_data_breach

bankinfosecurity.comhttps://www.bankinfosecurity.com/bangladesh-government-portal-leaked-50m-citizens-records-a-22501

cpomagazine.comhttps://www.cpomagazine.com/cyber-security/50-million-bangladeshis-impacted-by-government-website-data-leak/

Related incidents

Data breachResolvedOctober 5, 2023

Bangladesh Smart NID Telegram data leak

A Telegram bot offered up the names, photos, parents' names, phone numbers and addresses of Bangladeshi voters on demand from a 10-digit NID number, leaked through one of 174 organisations with access to the Election Commission's National ID server.

Victim: Bangladesh Election Commission (NID Wing)
Records: 55.0M

Data breachunresolvedJune 9, 2023

e-Devlet (e-Government Gateway) data breach

Turkey's central e-Government portal was harvested for the records of an estimated 85 million citizens and residents, with ID numbers, addresses, phone numbers, family links, health and financial data sold online and updated in near real time.

Victim: e-Devlet (Türkiye e-Government Gateway)
Records: 85.0M

Data breachResolvedApril 2, 2023

9Near Thailand 55-million citizen data extortion

A hacker using the alias '9Near' threatened to leak the personal data of 55 million Thais, allegedly sourced via the government's Mor Prom health app; an army sergeant was later identified and surrendered.

Victim: Thai citizens (data linked to Mor Prom health platform)
Records: 55.0M

Data breachResolvedFebruary 1, 2023

Convex data breach (2023)

In February 2023, the Russian telecommunications provider Convex was hacked by "Anonymous" who subsequently released 128GB of data publicly, alleging it revealed illegal government surveillance. The leaked data contained 150k unique email, IP and physical addresses, names and phone numbers.

Victim: Convex
Records: 150.1K