The list of data is long. Names, professions, blood groups, parents’ names, phone numbers, the length of calls, vehicle registrations, passport details, fingerprint photos. But this isn’t a typical database leak, the kind that happens all the time—these categories of information are all linked to a database held by an intelligence agency.
For months, the National Telecommunication Monitoring Center (NTMC), an intelligence body in Bangladesh that’s involved in collecting people’s cell phone and internet activity, has published people’s personal information through an unsecured database linked to its systems. And this past week, anonymous hackers attacked the exposed database, wiping details from the system and claiming to have stolen the trove of information.
WIRED has verified a sample of real-world names, phone numbers, email addresses, locations, and exam results included in the data. However, the exact nature and purpose of the amassed information is unclear, with some entries appearing to be test information, incorrect, or partial records. The NTMC and other officials in Bangladesh have not responded to requests for comment.
The disclosure, which appears to have been unintentional, provides a tiny glimpse into the highly secretive world of signals intelligence and how communications may be intercepted. “I wouldn’t be expecting this to happen for any intelligence service, even if it’s not really something that sensitive,” says Viktor Markopoulos, a security researcher for CloudDefense.AI who discovered the unsecured database. “Even if many data are test data, they still reveal the structure that they’re using, or what exactly it is that they are intercepting or plan to intercept.”
After Markopoulos discovered the exposed database, he linked it back to the NTMC and login pages for a Bangladeshi national intelligence platform. Markopoulos believes the database was likely exposed due to a misconfiguration. Within the database, there are more than 120 indexes of data, with different logs stored in each. The indexes include names such as “sat-phone,” “sms,” “birth registration,” “pids_prisoners_list_search,” “driving_licence_temp,” and “Twitter.” Some of those files contain a handful of entries each, while others contain tens of thousands.
The vast majority of the data exposed in the NTMC database is metadata—the extremely powerful “who, what, how, and when” of everyone’s communications. Phone call audio isn’t exposed, but metadata shows which numbers may have called others and how long each call lasted. This kind of metadata can be used broadly to show patterns in people’s behavior and whom they interact with.