Imagine this: a stranger is handing you a copy of someone's National ID, call details of months with locations, SMS archives, even bank-account statementwith only a mobile number and an NID number, for as little as a few hundred Taka. How chilling is that! That is not science fiction. It is the chilling reality a recent investigation uncovered.
The probe exposed an app called ShobEkhane (All Here) and an identically named website that openly trade in highly sensitive personal data.This probe shows the ring offers some 25 categories of personal information i.e. NID server copies, NID PDFs, driving-license data, passport details, TINs, birth registrations, case files from the police database- CDMS, call detailed records (CDRs), IMEI lookups, SMS archives, and - most alarmingly - bank-account and mobile-banking transaction data from major banks and mobile financial service (MFS) providers. And all those are delivered after a simple mobile-banking payment with a little identifying data - typically a mobile number or an NID.
Promotional techniques are not hidden. The perpetrators are using Telegram channels, WhatsApp groups and promotional videos to advertise the service openly using pseudo names such as "Bill Gates" and "Mark Zuckarbag," and they also post instructions and updates.
According to law-enforcement and government IT sources cited in the investigation, this is not a lone hacker in a basement. Preliminary findings point to complicity from inside institutions where some law-enforcement members and IT staffers in banks and public agencies appear to have been in a position to access and leak the data that helps these services.
Why these matters cannot be taken seriously. Stolen identity data can fuel fraud, extortion, impersonation, financial theft and even physical danger. With access to NID and bank details,the perpetrators can intimidate the victims, register fake SIM or open social media account that can be used for coercion or even construct convincing fake evidence. The ripple effects harm victims emotionally, financially and socially. These data can be used for black mailing that would eventually destroy reputations and disrupt lives.
There are two layers to this problem; the technical (how data is accessed and monetized) and the institutional (why insiders can - allegedly - hand over that data). The first demands urgent technical fixes like locking-down access to sensitive databases, rigorous API authentication, end-to-end encryption, immutable audit logs and real-time anomaly detection that will bar bulk extracts or suspicious queries. Banks, the National ID database custodians, police databases such as CDMS and MFS operators must harden their systems accordingly.
According to law-enforcement and government IT sources cited in the
investigation, this is not a lone hacker in a basement. Preliminary
findings point to complicity from inside institutions where some
law-enforcement members and IT staffers in banks and public agencies
appear to have been in a position to access and leak the data that helps
these services.
But technical measures alone will not suffice. The allegation of insider involvement is an indictment of governance and culture in the institutions that hold our data. If employees with privileged access are selling or facilitating access, the response must be swift and uncompromising. The public must be informed of progress as opacity breeds panic and cynicism.
We also need immediate policy measures. We must accelerate adoption and enforcement of a comprehensive personal data protection law which will define lawful access, penalize unlawful data sharing, mandate breach notification and prescribe standards for data stewardship. Regulators should require regular third-party security audits for those who store or process citizens' personal information. Financial institutions and telecoms must be required to implement stronger consent mechanisms and to limit what staff can query and export.
Public awareness is the third pillar. Social-media users and journalists must be careful not to amplify services that facilitate harm. At the same time, citizens must be made aware of simple protections. They should be made aware of not to share NID details or OTPs unnecessarily, response unfamiliar payment requests but to report suspicious messages or channels to authorities. MFS providers should offer clearer dispute-resolution channels and immediate reversal mechanisms for unauthorized debits.
The government's announcement that five to six similar apps have been identified. It is also said that further investigations are underway. We welcome it. But words are not enough. We want to see clear and time-bound actions. Quick takedowns of apps are useful but insufficient if the leak points are inside databases and if complicit individuals can again recreate the service elsewhere.
Finally, the press has a duty to continue shining a light on these networks. Investigative reporting exposes not just the criminals but the vulnerabilities. It forces institutions to act. At the same time, media must balance exposure with caution - revealing too much technical detail can help copycats.
This scandal is a test of our digital resilience. It shows whether we will treat personal data as the public goods and trust that needs strict protection and stern stewardship or whether we will continue to let cheap hacks and insider malfeasance erode the foundations of trust on which our digital society rests. The answer should be obvious. What remains to be seen is whether policymakers, institutions and citizens will act with the urgency this crisis demands.
The writer is a banker
