EC's new online system leaves 14,000 journalists' data exposed for over 2hrs

The personal information of at least 14,000 journalists was exposed through an online system introduced by the Election Commission (EC) ahead of the 13th national parliamentary election.

A technical issue in the system caused the sensitive data to remain publicly accessible for approximately two hours. Although the breach has occurred, the EC has yet to confirm the matter.

The exposed information included photographs, signatures, national identity card (NID) details, office ID cards, and media-related documents submitted by journalists while applying through the EC's website, reports Prothom Alo.

The applications also contained institution-related information, including lists of journalists approved by media organisations.

Ahead of the election and an upcoming referendum, the EC revised the rules for issuing cards to journalists. For the first time, it made online application through pr.ecs.gov.bd mandatory for obtaining journalists' cards and vehicle stickers.

However, following demands from journalists, the EC withdrew the decision on Thursday (29 January) and opted to issue cards manually.

Before the decision was reversed, nearly 14,000 journalists had already applied for cards and stickers through the online system.

Yesterday (31 January), after 4pm, the personal information of journalists who had applied became publicly accessible on the EC's website.

By replacing "user" with "admin" in the website URL, complete applications and related information could be viewed. 

The website's homepage displayed a list of applicants, along with names, NID numbers, mobile phone numbers and options to open full applications.

By late evening, the website was no longer accessible.

At around 9pm, Election Commission Secretariat Senior Secretary Akhtar Ahmed told Prothom Alo that he was not aware of the issue.

"This is not within my knowledge. I was in the office until 2:30pm today [Saturday], and nothing was known about it then. Since the afternoon, a few people have called to ask about the matter. It would not be right to comment without knowing what information was leaked and how. I will find out after going to the office tomorrow," he said.

Director of the Institute of Information Technology at Dhaka University, BM Mainul Hossain, told Prothom Alo that digital systems primarily operate on trust.

Tanvir Hasan Joha, a prosecutor at the International Crimes Tribunal and an information technology expert, described the incident to Prothom Alo as direct evidence of irresponsibility by a state institution.

"How can a constitutional body launch a system that has no data protection, access control or even basic security testing? The most important question is whether the personal data of these 14,000 journalists has been copied or accessed by any third party," he said.

He added that those who often speak publicly about journalists' data protection, digital security and personal privacy are, in reality, the ones handing over such information to the most insecure systems.