Bangladesh Smart NID Telegram data leak

In October 2023, just months after a government website leaked the records of 50 million Bangladeshis, citizens' identity data resurfaced in an even more weaponised form: a Telegram bot that returned a person's full profile on demand. Anyone could feed it a 10-digit Smart National ID (NID) number and receive names, parents' names, gender, phone number, address and photograph in return.

What happened

On 3–5 October 2023, Bangladeshi journalists confirmed that a Telegram channel was running an automated bot connected to a copy of National ID data. The bot exposed the records of citizens holding Bangladesh's Smart NID card. The country's NID database covers roughly 12 crore (120 million) voters, of whom about 5.5 crore (55 million) hold smart cards — the population whose records were retrievable through the channel.

The Election Commission's NID Wing operates the master server, but access is shared with 174 partner organisations — banks, telecoms, ministries and agencies — each a potential leak point. Officials concluded the data had escaped through one of these partners rather than from the central server itself.

Impact

Records of up to 55 million Smart NID holders were queryable through the Telegram bot.
Because the bot keyed off the immutable NID number, the leak enabled targeted impersonation, SIM-swap and financial fraud at scale.
The incident compounded the June–July 2023 Registrar General exposure, cementing a perception that Bangladesh's identity data was effectively public.

Official response

Mohammad Ashraf Hussain, system manager at the EC's NID Wing, said he had learned of the Telegram channel but did not know who was behind it. The NID Wing's director general initially said he was unaware of the matter and insisted "the NID server is safe." The Commission opened an investigation and, by December 2023, said it had found primary evidence implicating several institutions with NID access, including a state bank's mobile-money platform, a port authority and government directorates. In December 2024, the EC terminated its registration-data-verification contract with the Bangladesh Computer Council for breaching the access agreement.

Why it matters

The Telegram leak demonstrated the core flaw of centralised national-ID schemes: the security of 120 million citizens' data is only as strong as the weakest of 174 connected organisations. Once an NID number leaks, it cannot be reissued like a password. The episode intensified calls in Bangladesh for a binding Data Protection Act, granular access logging, and real accountability for the third parties entrusted with the population's identity records.

Timeline

October 3, 2023

A Telegram bot is observed returning full citizen records when fed a 10-digit Smart NID number.

October 5, 2023

The Daily Star and Prothom Alo report that the data of about 5.5 crore (55 million) Smart NID holders is accessible through the Telegram channel.

October 5, 2023

Election Commission officials acknowledge the issue but say the NID server itself is safe; the leak is traced to a partner organisation.

December 1, 2023

EC investigation identifies primary evidence of NID data leaks against several public and private institutions with server access.

December 20, 2024

The Election Commission terminates its data-verification contract with the Bangladesh Computer Council over breaches of the access agreement.

Sources

thedailystar.nethttps://www.thedailystar.net/news/bangladesh/crime-justice/news/smart-nid-data-leak-voters-info-now-telegram-channel-3435186

en.prothomalo.comhttps://en.prothomalo.com/bangladesh/crime-and-law/q31fpcoidv

bdnews24.comhttps://bdnews24.com/bangladesh/4b3025a74f14

en.prothomalo.comhttps://en.prothomalo.com/bangladesh/ni5m1c1s4m

thefinancialexpress.com.bdhttps://thefinancialexpress.com.bd/editorial/breaching-of-nid-server

Related incidents

Data breachResolvedJuly 7, 2023

Bangladesh government citizen data leak

A misconfigured Bangladeshi government birth-and-death registration website exposed the names, addresses, phone numbers and national ID numbers of more than 50 million citizens, discovered accidentally via a Google search.

Victim: Office of the Registrar General, Birth & Death Registration (Bangladesh)
Records: 50.0M

Data breachunresolvedJune 9, 2023

e-Devlet (e-Government Gateway) data breach

Turkey's central e-Government portal was harvested for the records of an estimated 85 million citizens and residents, with ID numbers, addresses, phone numbers, family links, health and financial data sold online and updated in near real time.

Victim: e-Devlet (Türkiye e-Government Gateway)
Records: 85.0M

Data breachResolvedApril 2, 2023

9Near Thailand 55-million citizen data extortion

A hacker using the alias '9Near' threatened to leak the personal data of 55 million Thais, allegedly sourced via the government's Mor Prom health app; an army sergeant was later identified and surrendered.

Victim: Thai citizens (data linked to Mor Prom health platform)
Records: 55.0M

Data breachResolvedFebruary 1, 2023

Convex data breach (2023)

In February 2023, the Russian telecommunications provider Convex was hacked by "Anonymous" who subsequently released 128GB of data publicly, alleging it revealed illegal government surveillance. The leaked data contained 150k unique email, IP and physical addresses, names and phone numbers.

Victim: Convex
Records: 150.1K