Friday, November 22, 2024
Technology

Bangladeshi police agents accused of selling citizens’ personal information on Telegram

Two senior officials working for anti-terror police in Bangladesh allegedly collected and sold classified and personal information of citizens to criminals on Telegram, TechCrunch has learned. 

The data allegedly sold included national identity details of citizens, cell phone call records and other “classified secret information,” according to a letter signed by a senior Bangladeshi intelligence official, seen by TechCrunch.

The letter, dated April 28, was written by Brigadier General Mohammad Baker, who serves as a director of Bangladesh’s National Telecommunications Monitoring Center, or NTMC, the country’s electronic eavesdropping agency. Baker confirmed the legitimacy of the letter and its contents in an interview with TechCrunch. 

“Departmental investigation is ongoing for both the cases,” Baker said in an online chat, adding that the Bangladeshi Ministry of Home Affairs ordered the affected police organizations to take “necessary action against those officers.” 

The letter, which was originally written in Bengali and addressed to the senior secretary of the Ministry of Home Affairs Public Security Division, alleges the two police agents accessed and passed “extremely sensitive information” of private citizens on Telegram in exchange for money.

According to the letter, the police agents were caught after investigators analyzed logs of the NTMC’s systems and how often the two accessed it.

The letter reveals the identity of the officials. One of the accused is a police superintendent serving with the Anti-Terrorism Unit (ATU). The other is an assistant police superintendent deputy at the Rapid Action Battalion, also known as RAB 6, a controversial paramilitary unit that the U.S. government sanctioned in 2021 over allegations that the unit is linked to hundreds of disappearances and extrajudicial killings. TechCrunch is not naming the two people who were accused as it’s unclear if they have been charged under the country’s legal system.

The NTMC is a government intelligence agency established under Bangladesh’s Ministry of Home Affairs. The agency’s core task is to monitor all telecommunications traffic and intercept phone and web communications to detect and prevent threats to national security. 

Organizations like Human Rights Watch and Freedom House have criticized the NTMC for lacking safeguards against abuses, both against free speech as well as privacy. Over the years, NTMC procured sophisticated technology from companies in Israel, which Bangladesh does not officially recognize, as well as other Western countries, to conduct mass surveillance largely on opposition party members, journalists, civil society members and activists.  

As part of its mission, the NTMC runs the National Intelligence Platform, or NIP, an internal government web portal that holds classified citizen information, like national identification details, cell phone registration and cell data records, criminal profiles and other information. 

Various law enforcement and intelligence agencies have user accounts on the NIP portal provided by the NTMC. 

NTMC’s own investigation concluded that the agents used the NIP platform more frequently than others, and accessed and collected information that was not relevant to them.

“Considering the context, such irrelevant access and unlawful handover of extremely sensitive classified data should be investigated to identify everyone involved in this and we also request for appropriate action against all those identified/involved,” the letter read.  

Baker told TechCrunch that there were a “number of Telegram channels,” adding that one of them was called BD CYBER GANG.

TechCrunch could not identify the specific channel on Telegram. 

Contact Us

Do you have more information about this incident, or similar incidents? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also reach out to Zulkarnain Saer Khan on Signal at +36707723819, or on X @ZulkarnainSaer. You also can contact TechCrunch via SecureDrop.

Baker told TechCrunch that it appears that the two agents sent the information to the administrator of at least one Telegram group, who then attempted to sell it. 

Baker said that the two agents have been notified of the investigation. 

Because of the investigation, all NIP users from ATU and RAB 6 have had their access suspended “until the involved officials are identified, and proper action is taken,” according to the letter.

Baker confirmed the suspended access, saying that if agents “need any information for investigation purposes they can collect through Police and RAB HQ.”

Spokespeople for Bangladesh’s Ministry of Home Affairs and ATU did not respond to multiple requests for comment. A person identifying only as an “operations officer” at RAB 6 told TechCrunch that the agency had no comment. 

Last year, a security researcher found that the NTMC was leaking people’s personal information on an unsecured server. The leaked data included real-world names, phone numbers, email addresses, locations and exam results, according to Wired. Another Bangladeshi government agency, the Office of the Registrar General, Birth & Death Registration, also leaked citizens’ sensitive data last year, as TechCrunch reported at the time.

In both cases, the leaks were found by Viktor Markopoulos, a researcher who works at Bitcrack Cyber Security. 

While those were significant cases of data exposure, this incident allegedly involving the ATU and RAB 6 agents is potentially more damaging, given that the agents allegedly sold information online in an attempt to profit from their privileged access to classified personal information.  

Although the incident is under investigation, a well-placed source within the government told TechCrunch that there are still officials who are offering to sell citizens’ data.

source

Leave a Reply

Your email address will not be published. Required fields are marked *