Tappware 2024 Data Breach
ObscureIQ Breach Intelligence
High SeverityGovernment / public sector
Tappware Employee Monitoring Platform Breach (2024): 95K User Records Exposed
Technology company providing identity verification and workflow automation tools.
Verified by ObscureIQ Intelligence
65/100Breach Risk Index
27Data Value
25Market Recency
718dSince Breach
Breach Intelligence Summary
Entity: Tappware · Actor: Unknown (BCSI discovered) · Sources: 3 references
Attack: Unknown
Profile: Technology Services Company · Digital identity, e-KYC, and workflow software services · Identity verification and workflow platform · Global
Timeline: Breach (2024-04-23) · Indexed (May 09, 2024) · Year (2024)
Exposure: 95K records · 9 fields: Date of Birth, Email Address, Full Name, Gender, Government ID, Job Information, Phone Number, Physical Address, Religion
Status: Confirmed
Executive Summary
Tappware, a Bangladeshi IT services and identity-verification platform, suffered a data breach on April 23, 2024 when an attacker exfiltrated approximately 34 to 50 gigabytes of data including approximately 2.3 million rows of personal information from Tappware's systems, with the breach data subsequently published on a hacking forum on May 1, 2024. The breach was discovered by the Bangladesh Cyber Security Intelligence (BCSI) during routine monitoring activities. Have I Been Pwned indexed the breach on May 9, 2024 with 94,734 unique email addresses extracted from the broader leak. The breach affected approximately 95,000 unique email addresses based on records indexed by Have I Been Pwned, with the broader 2.3 million-row dataset covering a substantially larger population of Bangladeshi citizens. Compromised fields included email addresses, full names, dates of birth, gender, religion, job titles, phone numbers, physical addresses, and scans of Bangladeshi national identity (NID) cards. The exposed dataset was structured across multiple files including employee records, profile records, trainee information, user accounts, and worker information files, indicating that Tappware's data covered both individual users and enterprise workforce records collected through identity-verification and worker-management workflows for client organizations. For affected individuals, the practical risk profile is exceptionally severe due to the inclusion of national identity card scans alongside the full identity profile. The combination of NID card scans, full name, date of birth, address, and phone number provides essentially a complete identity-fraud kit that supports impersonation across Bangladeshi banking, telecommunications, government services, and employment verification systems. The exposure of religious affiliation data creates additional risk of targeted harassment or discrimination in Bangladesh's communal context. Affected individuals should monitor their financial accounts, banking activity, and any identity-verification activity for unauthorized changes; remain alert to phishing or impersonation attempts referencing real personal details; and consider notifying Bangladeshi authorities if any unauthorized identity activity is detected. The persistence of NID-card data in the leaked dataset means the identity-fraud risk extends across an indefinite timeframe because Bangladeshi NID numbers do not change for an individual. The combination of employment data including job titles and employer information also creates risk of employment-based social engineering attacks targeting either the affected individuals or their employers.
ObscureIQ assessment: High risk of identity theft, document fraud, and impersonation. Identity-verification platforms are especially dangerous because they may hold verified personal and business records.
Breach Impact
The institutional impact on Tappware has been moderate based on publicly available information, with Tappware continuing to operate following the breach. Bangladesh's data-protection legal framework was less developed than EU or U.S. equivalents at the time of the breach, although Bangladesh has been progressing toward more comprehensive personal-data legislation. Civil litigation exposure has been limited based on publicly available information. The reputational impact has concentrated within the Bangladeshi enterprise IT services sector and within the broader Bangladeshi cybersecurity discussion of repeated identity-data exposures during 2023-2024. The case has been formally cited in BCSI commentary as illustrating the security weaknesses of Bangladeshi identity-verification service providers and the need for more comprehensive cybersecurity standards across the sector.
About Tappware
Tappware Solutions Limited is a Bangladeshi information-technology services and software-development company headquartered in Dhaka. The company provides identity verification, electronic Know Your Customer (e-KYC), workflow automation, and digital identity services to enterprise customers in Bangladesh including labor management, employment verification, and worker onboarding workflows. Tappware operates the tappware.com domain and provides software-as-a-service products that aggregate substantial personal-identification data including Bangladeshi national identity card (NID) information used for identity verification of workers and employment applicants. As an identity-verification service provider, Tappware maintains highly sensitive personal data on a substantial population of Bangladeshi citizens including identity scans, demographic profiles, employment records, religious affiliation data, and contact information.
Why They Hold Your Data
Identity-verification and workflow platforms collect customer identity, e-KYC records, document data, workflow activity, and account-management information across verification and business-process services.
Recent Developments
The breach was discovered by the Bangladesh Cyber Security Intelligence (BCSI) during routine monitoring activities on cybercriminal trading platforms, with BCSI publicly disclosing the incident on May 12, 2024. Bangladesh BCSI recommended that Tappware activate an incident response plan, conduct comprehensive security audits, implement multi-factor authentication, and enhance employee cybersecurity training. The breach was indexed by Have I Been Pwned on May 9, 2024. The case sits within a broader pattern of substantial Bangladeshi personal-data exposures during 2023-2024 including the Bangladeshi government NID server leak that exposed personal information of approximately 50 million Bangladeshi citizens (a separate incident from the Tappware breach), with the cumulative effect creating substantial identity-fraud risk for Bangladeshi citizens. Tappware has not made a substantial public statement regarding the breach.
Data Points Exposed
9 verified field types
Date of Birth High
Email Address
Full Name High
Gender
Government ID Critical
Job Information
Phone Number
Physical Address High
Religion High
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Identity theft and synthetic identity construction using government-issued IDs
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Employment-based social engineering using job and employer data
Threat vectors:
- Identity verification bypass
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Profile enrichment
- Identity fraud with official bodies
- Vishing & authority impersonation
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Targeted harassment & discrimination
Threat Actor: Unknown (BCSI discovered)
Unknown (BCSI discovered)
Unknown
Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.
Recommended Actions
If you believe your information may be included:
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Tappware breach?▾
Tappware, a Bangladeshi IT services and identity-verification platform, suffered a data breach on April 23, 2024 when an attacker exfiltrated approximately 34 to 50 gigabytes of data including approximately 2.3 million rows of personal information from Tappware's systems, with the breach data…
What data was exposed?▾
Verified fields include Date of Birth, Email Address, Full Name, Gender, Government ID, Job Information, Phone Number, Physical Address, Religion.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Cross-source
BreachForums_Official_Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation