Sri Lanka Board of Foreign Employment leaves 100,000 names and passport and ID numbers up for grabs
It all started with Trevor and Tekla Fernando.
People who listened to the English Service of the Sri Lanka Broadcasting Corporation in the 80s and early 90s may remember them. In an era where getting a request in on the radio meant writing a real, actual, snail mail letter, Trevor and Tekla (who many may remember because of the alliteration in their names) managed to get a request in - an their names read on - every single request show on the SLBC English service. Every. Single. Day.
On Wednesday the 29th, 2014, in a fit of nostalgia I decided to look up who they were. The search was not that long. The name was not all that common (and from the results I got, not that uncommon either). One of the results I got was ... somewhat disturbing.
The numbers looked like they were ID and passport numbers, and having those out in the open is never a good thing.
So I clicked the link and found myself downloading a 2.5mb Microsoft Excel file. It was full of names and ID and passport numbers. Scrolling to the bottom of the file I found there were over 25,000 of them. There were three other files with 25000 names and passport numbers in each of them, and one of them had the ID numbers as well. The four files dated from July to September 2013, meaning that they were accessible to the public for about a year.
So I looked for the URL it was downloaded from. It was a completely unprotected directory on the Sri Lanka Board of Foreign Employment website. There were three other similar files, and many other files, that could be accessed directly. Alarm bells started going off in my head, and the IT security guy in my head was having an apoplectic fit.
This was so many levels of Not Good.
So the next day (Thursday, the 24th of July, 2014) I sent an email to the office of Amal Senalankadhikara, the Chairman of the SLBFE Detail. It was , and I was told by his secretary that he was not in yet, and that he would be in after . So I called at 9am. I was then told that he was on his way to a meeting, and why was I calling. I explained in simple terms that there was a security breach on their website, and I wanted to bring it to his attention. I was asked to speak to their IT consultant, Roshan somebody (I never got their last name) and given a cellphone number.
So I called him. He didn't answer, but called me back about 30 minutes later. He asked me who I was, so I told him, and told him my credentials so that he would know that I was not some amateur. I explained the situation and he told me
yes, those are public records and supposed to be out there.
So I asked him if public records included documents with names, ID numbers, and passport numbers.
At this point he accused me of hacking and scanning his site and said
Now we have to find out who you are. Then he hung up.
I was now getting rather angry.
So I called the secretary - who I must say was a very nice lady - and told her that I had been threatened by her "IT Consultant" and I would like to speak to the chairman please. I was told that he was at a meeting, and could I explain what the problem was.
So I did. Using small, non-technical words.
To her credit, she understood the gravity of the situation immediately, and asked for my phone number so they could call me back. She also asked me to call her chairman after
Meanwhile I put up a Facebook post.
About 30 minutes later I received a call from another lady who asked me what the problem was. I explained the situation for her, and told her about the MS Excel files. She agreed that it was a massive issue, and promised to fix it. Witih five minutes the files were gone.
I then called the chairman at and was told by a different secretary that he had left to go outstation, so could I please call the next morning.
Meanwhile the FB post I made was getting quite a bit of attention. Many of my friends were asking why I didn't report it to the National Center for Cyber Security, others why I was getting so bothered by something that was being proven to be not my problem, and something the SLBFE was unconcerned about. I had two reporter friends asking for the story, and a bunch of people asking for the URL (which I wasn't ready to release).
I was upset about all this because I am not sure how muc mischief you can get upto with someone's name, passport number, and ID number, but I imagine it's quite a bit. I have spent too much time fighting security breaches that I feel bad for the poor sysadmin who is at the firing line. I also like to think that I am a good guy. That I do the right thing. This may be a delusion, but we all have them.
So on Friday (the 25th of July) I called the chairman's office at about 9am. A different secretary told me that he was not in the office yet and hung up.
This is where i drew the line in the sand.
I have tried multiple times to get in touch with Mr. Amal Senalankadhikara, the Chairman of the SLBFE. I wanted to explain to him that their site was insecure. I wanted to explain to him that putting up a downloads directory, and then giving people unsecured access to it, and - probably - telling people "the documents are in that folder, get what you want," is inherently insecure in so many ways.
I didn't want to make all this information public. Some things just shouldn't be done. But through their actions and their inaction they have forced my hand.
Do what you think is right. Or wrong. I wash my hands of this.
Add new comment