THE largest supermarket chain Shwapno, which has more than four million registered consumers, has said that its customer database was breached towards the end of March and cybercriminals demanded $1.5 million, which comes to more than Tk 183 million. The chain shop made the disclosure after its consumer details — names, phone numbers and purchase history — did the rounds on social media. The management of Shwapno, a subsidiary of ACI Limited, worked with forensic experts and the Counter Terrorism and Transnational Crimes unit and took steps to secure its system.
The most dangerous aspect of such breaches remains the casual attitude of customers, many of whom may think it does not matter if names, phone numbers and shopping history do the rounds in the public domain. They are no simple pieces of information. Combined, they form a context-rich ‘target profile’ of people. The shopping history could indicate dietary habits, interests, income range, salary in time, household size, marital status, health choices and even religious or cultural practices.
The purchase pattern analysis can also show the days of financial strain by looking into the switch to low-cost brands or less buying. Research shows that shopping data can also reveal pregnancy before women make the announcement and explore the status of mental health without access to any single medical or personal record. All this can make buyers susceptible to loan scams or emotional manipulation. The leaked information together makes a map that skilled social engineers, scammers or profilers can exploit with remarkable precision. Modern machine learning tools can make startlingly accurate predictions from purchase data alone.
People with declining purchase in the last week of a month, which suggests weak cash flow, might receive predatory loan app advertisements. And the victims would rarely realise the attack was designed specifically for them. They often think that they had bad luck with scammers. But they were, in fact, products of a data-driven targeting exercise. What is the most ominous part of the story is that behavioural profiles that once make it to the market do not expire. They remain there, getting updated with other leaked data and becoming increasingly accurate over time and exploited by criminals, big companies and social engineers.
Physical safety risks are, perhaps, the most overlooked aspect of this. The purchase history, which might show a woman shopping alone late in the evening with young children on specific days, can help criminals in kidnapping, stalking or even targeted home invasion. Criminal networks that buy leaked databases on the darknet not only include scammers, but they also include physical crime rings. Reputation and relationship damage is also possible. Some purchase history might show habits or preferences undisclosed to the family. Shopping patterns could be used to infer or fabricate narratives about private life for blackmail, coercion or harassment. Phishing is also possible by using real data to manufacture trust.
The Cambridge Analytica episode suggests that the most sophisticated exploitation of personal data happens in daylight. Facebook data were harvested and used to build psychological profiles of millions of voters in the United States and the United Kingdom. The profiles identified each person’s fears, aspirations, spending habits and emotional triggers. Targeted political advertisements were then crafted to reach each person with messages tailored to specific psychological profiles. This is a textbook example of behavioural manipulation. A company, which may not operate in Bangladesh, might use the purchase data of the four million people at hand to build detailed profiles of consumption and the way of life. The profiles could be sold to insurance companies, which can price premiums discriminatorily based on inferred health habits. They could be sold to political operatives who want to microtarget voters before elections. They could be sold to lending institutions, which can use the inferred incomes and spending patterns to approve or deny credit. None of the tasks requires ‘hacking.’ The data leaked are more than enough for such tasks.
Mobile financial services are embedded in daily life. Criminals equipped with profiles of likely victims can convincingly deceive them into sharing one-time passwords or personal identification numbers, and the victims can lose their entire mobile wallet balance in minutes. In Bangladesh, the recovery of such funds is extremely difficult. Criminals can also open accounts with the leaked profiles, apply for microloans on digital lending platforms or register for credit services. Given that many digital lending platforms rely primarily on mobile number verification, the risk is real. Victims may only discover the fraudulent accounts when lenders begin making calls for repayment.
Under the European Union’s General Data Protection Regulation, which is the global standard for data protection law, companies that fail to protect customer data can be fined up to €20 million or 4 per cent of their global annual turnover. The regulation also gives individuals the right to claim compensation for both material and non-material damage caused by a data breach. Non-material damage may include distress, anxiety and the loss of control over one’s personal information. In Bangladesh, there is no comprehensive data protection law. The Digital Security Act 2018 and its successor, the Cyber Security Act 2023, criminalise unauthorised data access but they do not offer a private right to claim damages. This is a significant gap that leaves four million Shwapno customers legally unprotected.
Whilst Shwapno faces investigation costs, legal fees for filing cases, fees for domestic and international forensic experts and the cost of rebuilding its cybersecurity architecture, its competitive advantage partly rests on its loyalty programme, which is the database that was breached. When consumers feel that enrolling in a loyalty programme exposes their personal data, they become reluctant to participate. A loyalty programme degradation directly reduces customer value and the company’s ability to run data-driven promotions. Reputational damage of this scale can also affect investor perception of its owning company.
The breach checker that circulated online after the Shwapno hack has already received more than 100,000 page views. Security analysts warn that using such third-party checkers may expose users to further data harvesting. Consumers can also change the passwords of mobile banking apps, e-commerce accounts or any platforms that use the leaked phone numbers as a verification tool. If the number is in the leaked database, attackers know which number to target for one-time password harvesting. Consumers might also be victims of SIM-swap attempts. They can request mobile operators for additional identity verification requirements before any SIM-related changes are processed. Consumers should also be critical about calls that reference personal details even if the caller claims to be from a legitimate company.
The Shwapno breach brings to the fore both a technical failure and a governance failure. On the technical side, companies that handle large volumes of customer data must implement layered security architecture. It may include multi-factor authentication on all administrative access points, end-to-end encryption of stored customer data, routine penetration testing by independent third parties and real-time intrusion detection systems that flag anomalous behaviour in a network immediately. The principle of data minimisation — collecting only what is necessary — should govern every system. If a loyalty programme does not operationally require purchase histories to be stored indefinitely, they should be deleted periodically.
On the governance side, companies need a clear incident response plan, rehearsed regularly, that includes a mandatory, time-bound customer notification protocol. In Shwapno’s case, the details of how the breach occurred have not been made public, but the reality of retail supply chains is that data flow through a large number of people and systems — point-of-sale terminals, third-party logistics partners, marketing agencies, app developers and more. Every person in the chain who has access to customer data is a potential point of breach. Training must, therefore, be continuous, role-specific and treated as a business-critical function rather than an annual compliance check.
The government must put in place a comprehensive personal data protection law modelled on standard practices such as the principles of the European Union’s regulations, but tailored to Bangladesh’s context. Consumers should at least have the right to know what personal data companies hold, mandatory breach notification within a defined time frame, the right to seek compensation for data negligence, mandatory data protection impact assessments before the launch of digital platforms and independent oversight by regulators with genuine investigative and penalising powers.
Bangladesh has already experienced multiple large-scale data exposures — the national identification registry database, birth registry records and now the loyalty database of a private retailer. Data are a responsibility and they are exchanged in trust. Bangladesh, therefore, needs laws, institutions, corporate practices and public awareness to protect personal data. The Shwapno breach is a wake-up call.
Ishtiaque Foysol is a freelance security researcher and trainer at Decodes Lab Ltd.
