Biggest Data Breach in Pakistan’s History

Pakistan has been under an alarming situation due to increasing cyber attacks, as a result, our IT industry may have to face some serious challenges within the next few years. In the past, a report, based on malware infection, was officially published by Microsoft, where Pakistan tops the list of countries which are highly vulnerable and infected by malware.

Our non-serious attitude toward cybersecurity is forcing Pakistan toward catastrophic disaster.

It is still unclear how such a sensitive database was left vulnerable for unauthorized use without any significant cybersecurity measures. This could be the biggest data breach in the history of Pakistan as reports claimed that Punjab Information Technology Board (PITB) is responsible for creating vulnerable mobile applications directly connected with the API of NADRA, which can request details of any Pakistani citizen using different means. It is reported that hacktivists were able to gain access to private data, such as the detailed report of any Pakistani including CNIC, call data records (CDR), hotel check-ins, vehicles and registration numbers, criminal records, driving license details, e-police toolkit and much more, which is miserable.

A case study shows that several groups were existent on Facebook and WhatsApp where culprits were selling details of Pakistani nationals for just Rs. 100 posts on such groups exposed images of these applications normally designed for police and other governmental institutes. The fact could not be denied that security was compromised because of the data which was requested by some researchers using those APIs. Some of these groups were years old, which shows how unserious PITB was in monitoring unauthorized access.

Just imagine how easy it would be to manipulate users’ data during electoral reforms in case e-voting machines were used, it would be pointless for the majority of people in Pakistan to understand such type of rigging due to lack of awareness on cybersecurity. Meanwhile, chairman of PITB Umar Saif, rejected data breach claims in a Facebook post stating that “PITB is equipped with a state-of-the-art tier-3 scale data center, modern SOC and a highly qualified security team. Any external cyber attack or unauthorized access by a user is promptly addressed.”

If PITB had such a qualified security team – why they were unable to prevent unauthorized used by culprits? If such incidents were promptly addressed – why they were not able to take any action against the people who are responsible?

They must have blocked unauthorized use and all vulnerable applications should be patched in a timely manner to avoid this but activities in such social groups seemed to be mature. Another point to consider is that software houses, which develop such applications, work under some framework or architecture which consist of a security testing phase. Auditing vulnerabilities in these applications is necessary before releasing or publishing, while chairman PITB Umar Saif is claiming they had a qualified security team, then how were applications developed with such vulnerabilities, which is open to hacktivists for accessing record of any Pakistani citizen? It is still unsure if PITB has taken any action against the people who were involved, especially security team which failed to implement security protocols in these apps.

We should always learn from our mistakes rather than rejecting claims, we appreciate the efforts of PITB in digitizing Pakistan, but a chain is only strong as its weakest link. A single vulnerability can open doors for hacktivists to challenge your security measures.

Security researchers from Pakistan are demanding a cybersecurity unit from the Government of Pakistan to prevent such type of issues in near future. If Pakistan had a cybersecurity unit, this could have been prevented. We should give a chance to qualified and talented researchers in Pakistan who are even willing to volunteer their services. Researchers have recommended Government of Pakistan to conduct yearly nationwide hackathons where researchers are invited from all over Pakistan to penetrate all the possible vulnerabilities of such sensitive apps and servers and allowing them to secure in a timely manner.