The National Identity Card (NID) server is a repository of extremely sensitive personal data of Bangladesh’s citizens. Ensuring the security of this server is one of the Election Commission’s (EC) primary responsibilities.
However, some recent reports have left us stunned. Investigations by the Criminal Investigation Department (CID) reveal that a thriving “marketplace” for buying and selling citizens’ personal information has emerged on public platforms such as Facebook.
Disturbingly, those behind this theft are none other than a group of officials and employees from within the EC itself. For instance, a computer operator and an outsourced employee at the Gazaria Upazila Election Office colluded to plunder data using the EC’s “confidential IDs and passwords.”
In exchange for a few thousand taka per week, they sold critical access, through which the data of more than 365,000 people were leaked. By trading this information, they reportedly made Tk 110 million in just 30 days.
Such incidents are not merely major financial crimes; they pose a grave threat to national security. Article 43(b) of the Constitution of Bangladesh states: “Subject to reasonable restrictions imposed by law, every citizen shall have the right to the privacy of his correspondence and other means of communication.”
This means that while reasonable limitations may be imposed by law in the interests of state security, public order, public health, or morality, the privacy of a citizen’s personal data and communications remains a fundamental right. Any violation of this fundamental right is undoubtedly alarming. In Bangladesh, the Information and Communication Technology Act (2006), the Right to Information Act (2009), and the Cyber Security Act (2023) include provisions for the protection of personal data.
Moreover, the current interim government has enacted the Personal Data Protection Ordinance, 2025. Under these laws, people’s names, addresses, fingerprints, and other sensitive information are supposed to be protected. How, then, can such data be sold like cheap commodities for Tk 200–300?
Unfortunately, despite repeated warnings, the security of government servers has not been strengthened, leaving persistent vulnerabilities. After all, if the threat lies within, locking the doors from the outside serves little purpose.
If a contractual or lower-level field employee can gain access to the entire national server at will, it clearly indicates that the EC’s digital security framework is extremely weak and fragile. It is essential to investigate whether a powerful syndicate or influential figures are operating behind the scenes.
To prevent NID fraud and data leaks, it is imperative to establish a robust multi-layered security system with multi-factor authentication (MFA). Access to servers should no longer be possible with just an ID and password. Strict multi-factor authentication—such as biometric verification or OTP-based systems—must be introduced so that no single individual can carry out theft alone.
In addition, regular digital audits and monitoring systems must be implemented. There should be real-time logs and surveillance of who accesses the server, when, and for what purpose. Technology should be added so that any attempt at abnormal data downloads automatically triggers an alarm or locks the system. For outsourced or contractual recruitment, higher security clearance and mandatory ethical vetting are necessary.
Regular departmental investigations and accountability for employees in sensitive positions must also be ensured. Public awareness must be raised on this issue. Finally, enacting up-to-date laws and ensuring their effective implementation are essential, and such laws must include provisions for compensation and legal remedies for victims of data breaches.