We are shocked to find out that the server of the National Board of Revenue (NBR) can be accessed and manipulated so easily by cybercriminals. On November 19, this daily reported how the NBR's "secure" server was breached to create false records of 24 completed shipments out of Chattogram Port, which never took place in reality. The fake exports amounted to Tk 12.78 crore and were shown to take place when criminals were able to access the server using the credentials of two customs officers. One of the officers admitted that he would often allow unauthorized personnel to access the server using his ID and password when he was busy doing other things.
Though this incident is already concerning enough, the bigger picture is even more disconcerting, given that this is the second incident of the NBR server being breached in recent months. Just last week, it was found that fraudsters had used the IDs and passwords of two customs officials to wrongfully release nine consignments by submitting fake Import Permission (IP) papers from Bangladesh Export Processing Zone Authority (BEPZA) in order to get duty-free facility. This release of at least 153 tons of goods helped nine importers evade crores of taka in duty. There are a couple of security concerns on the very surface of these two incidents.
Firstly, why are customs officials still so reckless about protecting their access credentials for the NBR server, when the system has been known to be breached before (a series of breaches into the server took place between 2016 and 2018 that allowed firms to evade large sums in taxes)? The Customs House, Chattogram has been known to issue notices before, asking officers not to access the system in the presence of unauthorized individuals.
So why did these officers feel comfortable disregarding this warning, and even going a step further by sharing their credentials with unauthorized individuals? Another concern is regarding the report from last week, which revealed the release of nine consignments using the credentials of two officials (one of whom was on suspension due to bribery allegations), whose IDs were supposed to be deactivated when the crime took place. Why had the authorities not made sure that the IDs of those two employees had indeed been deactivated? Why put so much faith in a system that has been breached before and in officials who were already deemed untrustworthy? And why, after repeated incidents of hacking, has the system not been made more secure?
Not only should these matters be investigated thoroughly, but it is high time for the NBR to stamp down on such breaches by strengthening the security of its servers. The authorities concerned must be more vigilant and aware about cybercrimes if scams of such scale, which robs the government of crores in tax revenue, are to be avoided.