Fake e-Apostille websites expose our digital governance’s flaws

We are alarmed by the leak of sensitive personal data of at least 1,100 citizens through a fake e-Apostille website, which is a stark reminder of how vulnerable citizens' data remains in the country. Reportedly, national identity cards, passports, marriage certificates, educational records, trade licences, and business contracts—documents that define an individual's legal and personal identity and are required for studying abroad, employment, or business purposes—were left openly accessible on a fraudulent platform posing as a government service.

This fake website closely resembled the government's official e-Apostille portal, which digitally authenticates government issued documents. The official portal is operated under the myGov platform of the ICT Division's Aspire to Innovate (a2i) programme. The fake website used a similar structure and name but ran on a different domain. It not only issued fake e-Apostille certificates but also allowed anyone to access other people's documents without much effort. In other words, without any form of identity verification or additional authorisation, a user could access another person's sensitive documents. This is worrying. Reportedly, many victims of the data breach applied through shops or intermediaries, a common practice given the complexity of the procedure. But whether they applied themselves or via intermediaries is irrelevant. The fact that such a large volume of sensitive data could be uploaded, stored, and accessed on a fraudulent platform points to systemic weaknesses in oversight, public awareness, and digital governance.

Unfortunately, this data leak is not a one-off incident. Previous allegations of data leaks involving platforms such as Surokkha–the government's Covid-19 vaccination management system–and reports of citizens' data being sold on the dark web suggest a persistent pattern of breaches. Leaks of passports, NIDs, and marriage certificates open the door to identity theft, fraud, harassment, and serious personal security risks. Women, in particular, are more vulnerable to the misuse of such information. Alarmingly, at least six fake domains posing as myGov and e-Apostille services have been discovered. These look-alike websites, designed to extract personal data and potentially commit financial fraud, not only endanger citizens but also erode trust in legitimate government platforms.

The government must prioritise and protect citizens' personal information through stronger security standards, independent audits, swift takedown of fake platforms, legal action against those involved, and public awareness campaigns. Without such measures, Bangladesh's push towards digital governance will not succeed.