Bangladesh Election Website Exposes 14,000 Journalists – And a Bigger Truth

A technical flaw in a Bangladeshi Election Commission website exposed the personal data of roughly 14,000 journalists – and the most disturbing part isn’t the bug itself, but how predictable the whole thing was.

According to reporting from The Daily Star, the leak occurred through an online application portal introduced ahead of Bangladesh’s 13th national parliamentary election. Journalists were required to apply online for accreditation cards and vehicle stickers using a newly launched site operated by the Election Commission. In theory, this was about efficiency and modernization. In practice, it turned into a data protection nightmare.

For roughly two hours, sensitive personal information, including photographs, signatures, national ID numbers, phone numbers, and official documents, was publicly accessible to hackers. A simple change in the website’s URL, replacing the word “user” with the word “admin,” allowed virtually anyone to browse full application files. No hacking expertise required. No credentials needed. Just plain human curiosity.

Also, this wasn’t just some obscure metadata. The site’s homepage reportedly displayed lists of applicant, including their national ID numbers and mobile phone numbers, with direct links to complete submissions. By the time the portal was taken offline, the damage was already done. Whether the data was downloaded or archived by third parties remains unknown. And that uncertainty is exactly the point.

A Leak That Shouldn’t Have Happened

This breach didn’t involve criminals exploiting hidden vulnerabilities or foreign actors launching sophisticated cyberattacks. It happened because a government-built system went live without basic access controls; the kind of mistake that would, more than likely, get a 9-5 office developer fired on the spot.

What makes it worse is the context. These weren’t random users. These were journalists: the people whose work already puts them at risk, particularly in politically sensitive environments. The leaked personal data included government-issued identity documents, workplace affiliations, and personal contact details, all tied to individuals covering a national election.

After journalists raised alarms, the Election Commission reversed course and announced a return to manual accreditation. That decision, while necessary, came too late. By then, around 14,000 journalists had already submitted their information online, trusting the system because they were required to. Trust, once again, was misplaced.

Governments Still Don’t Learn

This isn’t a uniquely Bangladeshi problem. It’s part of a global pattern: governments pushing digital systems that collect vast amounts of personal data while consistently failing to secure them.

Election infrastructure, healthcare portals, immigration systems, and COVID databases; the list of government-run platforms that have leaked, exposed, or mishandled sensitive information is long and growing. Each incident is followed by familiar language: “technical flaw,” “brief exposure,” “no evidence of misuse.”

What’s rarely acknowledged is the underlying issue: governments demand data first and figure out security later, if at all. And when things go wrong, the consequences don’t land on institutions. They land on individuals like you and me.

Journalists as Collateral Damage

That this breach affected journalists should alarm anyone who cares about press freedom, not just data privacy. Exposing identity documents and contact details during an election cycle creates real-world risks: harassment, intimidation, surveillance, and retaliation.

Even if no malicious actor accessed the data (a claim that can’t be verified), the exposure itself is enough to chill speech and deter people from signing up in the future for fear of similar mishaps. 

When journalists are forced to hand over sensitive information to access their own democratic process, and that information is then mishandled, the message is clear: your safety is secondary. Governments love to talk about protecting democracy. But they’re surprisingly less competent at protecting the people who report on it.

Protect Yourself, Because No One Else Will

The uncomfortable truth is that governments everywhere have repeatedly shown they can’t be trusted as responsible stewards of our personal data. Not because they’re uniquely malicious,  but because they’re slow, unaccountable, and rarely face consequences for failure.

Digital systems are expanding faster than safeguards. Data collection is mandatory; data protection is optional. And once your information leaks, there’s no recall button.

This incident is a reminder that online safety isn’t something handed down from institutions. It’s something individuals have to actively defend by minimizing sensitive data exposure, questioning digital mandates, and refusing to accept “whoops” as an acceptable excuse. Because the next leak won’t be surprising either, and the next apology won’t undo it.