A Spy Agency Leaked People's Data Online—Then the Data Was Stolen

The list of data is long. Names, professions, blood groups, parents’ names, phone numbers, the length of calls, vehicle registrations, passport details, fingerprint photos. But this isn’t a typical database leak, the kind that happens all the time—these categories of information are all linked to a database held by an intelligence agency.

For months, the National Telecommunication Monitoring Center (NTMC), an intelligence body in Bangladesh that’s involved in collecting people’s cell phone and internet activity, has published people’s personal information through an unsecured database linked to its systems. And this past week, anonymous hackers attacked the exposed database, wiping details from the system and claiming to have stolen the trove of information.

WIRED has verified a sample of real-world names, phone numbers, email addresses, locations, and exam results included in the data. However, the exact nature and purpose of the amassed information is unclear, with some entries appearing to be test information, incorrect, or partial records. The NTMC and other officials in Bangladesh have not responded to requests for comment.

The disclosure, which appears to have been unintentional, provides a tiny glimpse into the highly secretive world of signals intelligence and how communications may be intercepted. “I wouldn't be expecting this to happen for any intelligence service, even if it's not really something that sensitive,” says Viktor Markopoulos, a security researcher for CloudDefense.AI who discovered the unsecured database. “Even if many data are test data, they still reveal the structure that they're using, or what exactly it is that they are intercepting or plan to intercept.”

After Markopoulos discovered the exposed database, he linked it back to the NTMC and login pages for a Bangladeshi national intelligence platform. Markopoulos believes the database was likely exposed due to a misconfiguration. Within the database, there are more than 120 indexes of data, with different logs stored in each. The indexes include names such as “sat-phone,” “sms,” “birth registration,” “pids_prisoners_list_search,” “driving_licence_temp,” and “Twitter.” Some of those files contain a handful of entries each, while others contain tens of thousands.

The vast majority of the data exposed in the NTMC database is metadata—the extremely powerful “who, what, how, and when” of everyone’s communications. Phone call audio isn’t exposed, but metadata shows which numbers may have called others and how long each call lasted. This kind of metadata can be used broadly to show patterns in people’s behavior and whom they interact with.

Most PopularGearPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric RavenscraftGear13 Great Couches You Can Order OnlineBy Louryn StrampeGearThe Best Portable Power StationsBy Simon HillGearThe Best Wireless Earbuds for Working OutBy Adrienne So

For instance, the “birth registration” log includes fields such as name (in English and Bengali), birthday, sex, birthplace, and mother’s and father’s names and nationalities, according to a sample of the data reviewed by WIRED. Another log, called “finance personal details,” also includes people’s names as well as cell phone numbers and bank account details, and lists an “amount” for the account type. National ID numbers are frequently included in the data structures, as are cell phone numbers and the names of mobile operators in Bangladesh. There are lists of base transceiver stations, which are parts of cell phone networks, and the records mention “cdr,” which may refer to call detail records.

Some of the data leaked appears to be test information, as well as data that is incomplete or incorrect. Some entries include generic strings of numbers such as “123456789,” while other entries are repeated multiple times throughout the database. Real-world data is also included within the leaked information.

One person contacted by WIRED confirmed that the email, mobile number, and a billing address listed belonged to them. The person says they are a subscriber of telecom firm BTCL, which is government-run and has some of their personal information, although it’s unclear whether this is the source of the data that was leaked. Markopoulos found exam results listed in the data, including some that were taken in the late 1990s, that matched those listed on the Ministry of Education’s website. Text messages sent to multiple numbers in the database were delivered, although one person replied saying they were not the person listed in the dataset. Another phone number is publicly listed as belonging to a Bangladeshi business. An encoded passport photo correlates with the alleged owner’s public information (although they could not be reached for comment).

From a review of a sample of the exposed information, it is unclear why the data has been collected, where it has all been collected from, or what it is being used for. There is no indication that it relates to any wrongdoing.

Jeremiah Fowler, a security consultant and cofounder of data breach discovery firm Security Discovery, reviewed the exposed database and confirmed its links to the NTMC. Fowler, who regularly finds exposed servers and databases online, says the data being linked to the intelligence body is “probably one of the first that I have seen like this.”

“The biggest thing I saw that was really dangerous was a bunch of IMEI numbers,” he says, referring to the identifying code given to each individual cell phone. “With those, you can actually track the device or clone the device.”

The NTMC has not acknowledged or responded to WIRED’s questions about the leaked information, including those about its purpose and the amount that has been gathered. The press office of the government of Bangladesh and the Bangladesh High Commission in London also did not respond to requests for comment. Markopoulos reported the exposed information to Bangladesh’s Computer Incident Response Team (CIRT) on November 8, and it acknowledged his message and thanked him for disclosing the “sensitive exposure.” In an email to WIRED, the CIRT said it had “notified the issue” to the NTMC.

Most PopularGearPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric RavenscraftGear13 Great Couches You Can Order OnlineBy Louryn StrampeGearThe Best Portable Power StationsBy Simon HillGearThe Best Wireless Earbuds for Working OutBy Adrienne So

The database appeared to be offline ahead of the publication of this article. However, Markopoulos says that on November 12, the database was wiped and in its place appeared a ransom note by an unknown attacker or group of attackers. The note demanded payment of 0.01 bitcoin (around $360 at current exchange rates), or the “data will be publicly disclosed and deleted.” Both Markopoulos and Fowler say this is common for exposed databases of this kind. Meanwhile, new entries have started appearing in the wiped database, Markopoulos says, and they include a “search log” index that may indicate the system is still in use.

The NTMC, which emerged from a previous monitoring body in 2013, describes itself as an organization that provides “lawful communication interception facilities” to other agencies in Bangladesh, which has a population of 167 million. It is responsible for setting up and developing an “interception platform,” and ensuring that it operates 24/7, according to its website. Recent reporting has claimed that 30 agencies are linked to the NTMC using APIs, and that it incorporates records from mobile operators, passport and immigration services, and other bodies. In January, the NTMC reportedly purchased surveillance technology from companies headed by Israelis, and government ministers have discussed the NTMC intercepting social media data.

A telecoms expert who has worked in Bangladesh, who requested anonymity over fears of government retaliation against their family, alleges that as a “lawful intercept center,” the NTMC can collect huge volumes of data. “They are not only collecting call data records from mobile companies, but also, they are collecting logs and detailed records, session history, from internet providers,” they claim. “It's really powerful, and the kind of surveillance that they do is more powerful than European countries,” they add, citing Bangladesh’s lack of legislative parallels to Europe’s strict data protection laws.

In recent weeks, protests against the current government have rocked Bangladesh as a crackdown has happened against those in opposition, ahead of the country’s next round of elections in 2024. One Bangladesh-based researcher who asked not to be named, fearing repercussions, says they “expect to see more surveillance and targeting of individuals” ahead of the elections next year.

“I think the number one priority has to be to make individuals, especially activists … aware of the surveillance system and understand how to be safe online,” the researcher says when asked about digital rights. “When, in the country, people are fighting for their basic rights—such as securing their daily livelihood and fighting for their political rights—digital rights come much later.”

About Matt Burgess

Check Also

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were …

Leave a Reply