January 19, 2021

Sensitive data of over 100m Pakistanis breached; interior ministry, NADRA deny responsibility

Pakistan’s Ministry of Interior, as well as the National Database and Registration Authority (NADRA), have both refused to take responsibility of an allegedly major data leakage comprising personal and possibly sensitive information of more than 100 million mobile users, causing uproar among members of the civil society and raising concerns about digital security.

According to a letter dated December 1 from the interior ministry to Sindh High Court (SHC) Assistant Attorney General Hussain Bohra, an inquiry board probing the alleged data leak conducted a “detailed forensic analysis” using the services of cybersecurity firm Rewterz and found that “there was no data leakage on the part of NADRA”.

The data in question “is related to Pakistan Mobile Users and not of NADRA”, the board stated, adding that it did “not correlate with the NADRA database, proving that the data is not from NADRA database”. The body directed the SHC to contact the Ministry of Information Technology and Telecommunication (MoITT), which it said “would further be in a better position to submit relevant details”.

The issue of the damning data leakage was also raised on social media by journalist Haider Kaleem, who termed it, “strange [given] how there’s complete silence over the theft of 11 million Pakistani citizens’ sensitive data”. 

Kaleem regretted that “nobody is ready to take responsibility”.

Dawn reported that Advocate Tariq Mansoor, the individual who had filed a petition “in the larger public interest and public importance”, had told the court in the last hearing the data leak was allegedly by telecommunication service providers and had been uploaded to the so-called dark net by cybercriminals demanding 300 bitcoins (BTC) – approximately over Rs. 1.35 billion – for its sale. It comprised “full names, complete addresses, and CNICs of cellular users”, the publication added.

“It is very relevant here that especially during the lockdown because of COVID-19 pandemic in Pakistan, majority of citizens have been using online, and are using cell phones” to register themselves for the PTI regime’s flagship Ehsaas Programme and Prime Minister Imran Khan’s coronavirus Tiger Force, Mansoor said in his petition, a copy of which is available with the Digital Rights Monitor.

He also highlighted in his petition “a secret ‘Special Advisory’ circular/letter titled ‘Special Advisory Exploitation of WhatsApp by NSO Group” reportedly issued by IT & Telecommunication secretary and shared with the official’s other federal counterparts, showing “the severity and the possible linkage of the instant subject matter”.

The Federal Investigation Agency (FIA) had already been directed by the chairperson of the Senate Standing Committee on Interior, Senator Rehman Malik, to investigate and submit a report on the matter, he added.

The advocate, however, underscored that due to a lack of proper intimation by the PTI-led government, that report in question may not be made public. Regardless, he appealed for the SHC to form a high-powered commission to probe the matter under the applicable laws, including the controversial Prevention of Electronic Crimes Act (PECA), 2017, and the Official Secrets Act.

It is noteworthy that back in 2018, the credit and debit card details of more than 19,000 users from almost a dozen Pakistani banks were stolen by hackers based abroad in “the biggest of its kind” cyber-security breach to be sold on dark web forums. Following the State Bank of Pakistan’s (SBP) security advice, several commercial banks had consequently blocked international transactions.

According to Geo TV, the FIA’s chief for digital crimes had said at the time “almost all major Pakistani banks” were affected. Global cyber security firm Group-IB had said the data was being sold on “Jokerstash — a virtual Darkweb hub of stolen card data used by hackers as a distribution point for compromised accounts”, with the debit and credit card information on sale “for prices ranging from $100 to $135 each”.

In an interview with Dawn News TV, FIA Cybercrimes Director Capt (r) Mohammad Shoaib had admitted to the hackers having “stolen large amounts of money from people’s accounts” and acknowledged a “need for improvement in the security system of our banks”. However, he had stressed that the cyber-crime body was “trying to play a proactive role in preventing bank pilferage”.

(BTC1 = Rs4,491,101.74)

Featured Image by Mika Baumeister on Unsplash

Written by

Abad Mansouri (pseudonym) is a journalist and activist writing on gender-based issues and mental health.

No comments

leave a comment