News Source: Daily Times
Writer: Marvi Sarmad
Islamabad: The privacy of thousands of Pakistani citizens seems to have been compromised in what could possibly be the country’s largest ever data breach.
Daily Times has learnt that profiles set up on various social media platforms including Facebook, WhatsApp and Twitter are offering for sale data of various federal and provincial authorities. Sources within the Punjab Information Technology Board (PITB) have confirmed that they were aware of personal and confidential information of Pakistani citizens being sold online, but there was no urgency within PITB leadership to address the concern. The information that is being sold through Android Apps on Google Play Store includes personal data associated with CNIC numbers. One platform called ‘Trace Mobile’ offers subscribers the names and addresses of people through their cell phone numbers. Another App offers information related to driving licenses, current location, call details, and even criminal record associated with CNIC numbers on payment of Rs.3,000. A Facebook group that flaunts the slogan “NADRA data, all networks SIM data, and all types of data is available”, one can even get NADRA family trees associated with CNICs, for as low a price as Rs.100.
Daily Times further learnt through its source that NADRA’s API keys shared with the PITB for CNIC verification were known to almost all software developers in the board.
Another PITB source confirmed there were no audit logs and trails in the software systems developed by the Board. “The PITB doesn’t even have backup and disaster recovery sites for their systems. All these should be checked by some third-party auditor.” The source maintained that such an audit has always been resisted by the board’s leadership.
There’s essentially no independent watchdog to audit what PITB is doing with citizens’ data. This highlights the pressing need of such a watchdog for data safety, over and above the PITB and all other departments engaged in digitisation of citizens’ data.
Speaking to Daily Times, an anonymous ‘ethical hacker’ not linked to the data leak, claimed he had hacked PITB data earlier this week, though he couldn’t share any evidence to corroborate the claim. He said the intention was to check security measures in place. He said that most of the PITB data was breached (as opposed to being hacked) through Apps like Raasta, a traffic alert and navigation application; and Agriloans, an application for farmers to get easy loans.
A tech expert, speaking on the condition of anonymity, said that he could confirm that PITB data was not hacked, “or at least we don’t have the evidence”. However, “instances of unauthorized access have been found, and Internet is full of such evidences. Just try searching on OLX or YouTube.”
When PITB was approached to confirm this breach, the officials including the PITB chairperson denied being privy to any such breach. In response to a questionnaire sent by DT, the PITB issued a brief statement on Tuesday afternoon that termed reports about the possible data breach as “concocted, baseless, mischievous and contrary to the facts”. Referring to the sources who spoke to Daily Times on the condition of anonymity, the spokesman lamented that “blaming PITB on such sensitive issue by unidentified and unknown elements itself confirmed that the move was with mal intentions by some individuals having vested interests, otherwise claimants of such reports would have confronted with their real faces and original names”.
Responding to a query about its data security protocols, the PITB spokesperson said, “We have a highly qualified in-house security team headed by a thorough professional, which is vigilant 24/7 to respond to the cyber threats.”
Further, the spokesperson dismissed claims about data leaks as “factually incorrect”, adding, “any violation of tress pass [SIC] or exercising unauthorised access by any official is always dealt under the prevalent service rules”.
Earlier, on Tuesday, PITB chairman Umar Saif tweeted, “There is no data breach of Government of Punjab IT systems. PITB is equipped with a state-of-the-art tier-3 scale data center [SIC], modern SOC and qualified security team.” However, in the next sentence, he hinted at possible breach by saying, “any external cyber attack or unauthorised access by a user is promptly addressed”.
In another round of tweets, Dr Saif threatened legal action under Prevention of Electronic Crimes Act against anyone talking on this news which he categorically denied and termed ‘fake’. “If you are producing content, uploading content or sharing content that deliberately spreads false information about government systems or personnel, you are liable under the Pakistan Cybercrime Law 2016 with a prison sentence of 6 months,” he tweeted.
NADRA officials, when contacted, demonstrated similar obliviousness about any data breach from their servers. However, the director general said that such a breach might have happened either from Punjab’s Land Records Authority or Punjab Police who are generating their own data during the process of digitisation. “NADRA only provided verification services to these entities, nothing more than that,” he added. He confirmed to DT that NADRA had discontinued its verification services previously available to PITB and Punjab Police. The service, he said, would be restored as soon as clarity is achieved on data security.
Meanwhile, speaking to DT, data security and IT professional Usama Khilji, who serves as the director of digital rights organisation Bolo Bhi, maintained that the legal framework ensuring safety and privacy of citizens’ personal data was currently non-existent in Pakistan. “There are no laws in place that protect people’s personal data despite Article 14 of the Constitution, which guarantees the dignity and privacy of home to be inviolable subject to law.”
Khilji urged the legislators and the courts to consider the right to privacy in the realm of the Internet where vast amount of data on each citizen was stored. He said that the federal government was required to make regulations to provide for privacy and protection of data of subscribers, by Section 43 (2)(e) of the Electronic Transactions Ordinance 2002, but little had been done in this regard.
The largest and so far little noticed data breach occurs on a daily basis in plain sight in the telecom sector. As per the statistics issued by Pakistan Telecommunication Authority (PTA) in May 2017, the number of cell phone users in Pakistan has exceeded 140.5 million. These are the people whose CNIC numbers, home addresses, and even call logs are accessible on nominal subscription fee by many Apps commercially available on the Internet in Pakistan. Some SMS marketing companies are even offering services for ‘bulk messaging’ advertisements to cell phone users without their consent. One bulk messaging service SMSall has corporate clients including big companies, media houses and even the Punjab government. The owner of this commercial service, as per sources, is a senior official within the provincial administration.
Regarding implications of data breach at such a scale, Khilji said that hacked personal data could expose users to risks of criminal threats such as burglary, mugging and kidnapping, as well as potentially endangering activists, journalists and political workers. He said that this kind of data theft had the potential to make women, in particular, more vulnerable.