A fraudulent website posing as Bangladesh’s official e-apostille platform has compromised sensitive data belonging to over 1,100 individuals, raising alarms among cybersecurity experts. This incident is being characterized as one of the most significant failures in digital governance in recent years.
Documents that have surfaced online include national identification cards, passports, academic diplomas, marital certificates, trade licenses, and various other private records. The exposure of such information creates substantial risks for identity theft, forgery, extortion, and targeted scams.
The counterfeit site closely mimicked the structure and appearance of the government-operated MyGov e-apostille service, which is hosted under the domain “.bd.” This bogus platform generated fake apostille certificates associated with QR codes that, when scanned, led users to a systematically organized database.
By altering the final digits in the URL, users could access documents belonging to other applicants, exposing a well-known vulnerability labeled as Insecure Direct Object Reference (IDOR). Cybersecurity experts emphasize that breaches resulting from IDOR are particularly severe, as they do not require advanced hacking techniques—merely a web browser is sufficient. A cybersecurity analyst based in Dhaka indicated that enhanced security measures, such as UUIDs, encryption, and layered access controls, could have mitigated this issue.
The victims include Bangladeshi students preparing for studies abroad, migrant workers, job seekers, business representatives, and individuals submitting personal documents for verification outside the country. Many accessed the e-apostille service through local intermediaries, such as shops and agents that assist with government services, complicating the ability to trace the intentionality behind their data submission via the fake site. In interviews, several victims acknowledged ownership of the leaked documents but were unaware of any breach until notified.
Among those affected, one woman who submitted marriage documentation and passports through an agency expressed distress regarding her compromised information: “I don’t know where my data has ended up. How can I ensure my safety now?”
Investigators from Aspire to Innovate (a2i) identified at least six ongoing fraudulent domains impersonating MyGov services. These sites utilized similar spellings, visual layouts, and service designations to mislead unsuspecting applicants. Officials suspect that this fraud network has been operational since October, discreetly accumulating data, issuing counterfeit certificates, and preserving scanned records.
A preliminary investigation report accessed by the Dhaka Tribune cautions that these websites might have facilitated phishing, financial fraud, and data harvesting while possibly being connected to broader criminal entities. Although cybersecurity teams speculate on commercial interests behind the operation, they do not dismiss the possibility of organized sabotage at the state level.
Faiz Ahmad Taiyeb, a special assistant to the chief adviser overseeing the ICT ministry, referred to this incident as part of a larger pattern of digital sabotage aimed at undermining public trust in government services. He highlighted that vast amounts of citizens’ data are already circulating on the dark web. Recent years have seen Bangladesh endure numerous data exposure crises, from breaches of police complaint portals to allegations concerning the compromise of 50 million Covid vaccination records online. Experts note that these recurring incidents jeopardize national credibility and threaten economic, diplomatic, and labor migration sectors.
Professor BM Mainul Hossain from Dhaka University cautioned that personal documents, unlike passwords, cannot be reset or changed. “Once these identity records are publicly accessible, the repercussions are irreversible,” he warned.
Analysts specializing in digital governance examine the breach as indicative of deeper systemic vulnerabilities, including an overreliance on third-party agents, inadequate platform verification, low public awareness, and a lack of a comprehensive national data protection framework. While Bangladesh initiated the drafting of a Data Protection Act in 2022, the legislation has yet to be enacted.
Cybersecurity professionals urge the government to implement stringent measures such as mandatory HTTPS certificate pinning, multi-factor authentication, automated spider detection, zero-trust architecture, secure API gateways, and routine third-party audits—standards becoming increasingly essential in national digital identity systems. The urgency is palpable, as a multitude of documents may still be hosted on these fraudulent platforms, attracting thousands of visitors. Authorities are working swiftly to eliminate mirrored websites and trace servers believed to operate outside Bangladesh.
However, forensic experts caution that the mere seizure of these fraudulent portals will not halt the circulation of stolen information online. This breach stands as a critical reminder that robust data protection measures are essential to maintain trust in digital services. The central question persists: how long can Bangladesh afford to overlook its cybersecurity vulnerabilities?
