Tappware, a Bangladeshi IT services and identity-verification platform, suffered a data breach on April 23, 2024 when an attacker exfiltrated approximately 34 to 50 gigabytes of data including approximately 2.3 million rows of personal information from Tappware's systems, with the breach data subsequently published on a hacking forum on May 1, 2024. The breach was discovered by the Bangladesh Cyber Security Intelligence (BCSI) during routine monitoring activities. Have I Been Pwned indexed the breach on May 9, 2024 with 94,734 unique email addresses extracted from the broader leak.

The breach affected approximately 95,000 unique email addresses based on records indexed by Have I Been Pwned, with the broader 2.3 million-row dataset covering a substantially larger population of Bangladeshi citizens. Compromised fields included email addresses, full names, dates of birth, gender, religion, job titles, phone numbers, physical addresses, and scans of Bangladeshi national identity (NID) cards. The exposed dataset was structured across multiple files including employee records, profile records, trainee information, user accounts, and worker information files, indicating that Tappware's data covered both individual users and enterprise workforce records collected through identity-verification and worker-management workflows for client organizations.

For affected individuals, the practical risk profile is exceptionally severe due to the inclusion of national identity card scans alongside the full identity profile. The combination of NID card scans, full name, date of birth, address, and phone number provides essentially a complete identity-fraud kit that supports impersonation across Bangladeshi banking, telecommunications, government services, and employment verification systems. The exposure of religious affiliation data creates additional risk of targeted harassment or discrimination in Bangladesh's communal context. Affected individuals should monitor their financial accounts, banking activity, and any identity-verification activity for unauthorized changes; remain alert to phishing or impersonation attempts referencing real personal details; and consider notifying Bangladeshi authorities if any unauthorized identity activity is detected. The persistence of NID-card data in the leaked dataset means the identity-fraud risk extends across an indefinite timeframe because Bangladeshi NID numbers do not change for an individual. The combination of employment data including job titles and employer information also creates risk of employment-based social engineering attacks targeting either the affected individuals or their employers.

Identity-verification and workflow platforms collect customer identity, e-KYC records, document data, workflow activity, and account-management information across verification and business-process services.

The breach was discovered by the Bangladesh Cyber Security Intelligence (BCSI) during routine monitoring activities on cybercriminal trading platforms, with BCSI publicly disclosing the incident on May 12, 2024. Bangladesh BCSI recommended that Tappware activate an incident response plan, conduct comprehensive security audits, implement multi-factor authentication, and enhance employee cybersecurity training. The breach was indexed by Have I Been Pwned on May 9, 2024. The case sits within a broader pattern of substantial Bangladeshi personal-data exposures during 2023-2024 including the Bangladeshi government NID server leak that exposed personal information of approximately 50 million Bangladeshi citizens (a separate incident from the Tappware breach), with the cumulative effect creating substantial identity-fraud risk for Bangladeshi citizens. Tappware has not made a substantial public statement regarding the breach.