Punjab Information Technology Board was found responsible for exposing the privacy of thousands of Pakistani individuals.
The security bug was mainly due to an amateurish directory permissions, that allowed the directory listing on one of the PITB servers that houses tons of information. This basically allowed easy and simple access to private and sensitive data of thousands of citizens.
Those with very basic computer knowledge could access the exposed directory. They could access and download/dump dozens of GBs of the private data that included personal information such as:
- CNIC numbers
- Front and Back of CNICs
- Scanned copies of all the educational degrees
- work experience,
- CVs and more.
The bug has now been taken care of and it bears mentioning that we are running this story after the server has been secured.
PITB said that their servers are usually secure and are routinely monitored for any flaws. This very specific incident, however, remained unattended due to a recent server upgrade, PITB said.
At a time when digital identities are getting more and more valuable and crucial for anyone, exposing private data of anyone can ultimately become a nightmare for individuals.
Moreover, organizations like PITB, that handle and maintain records of hundreds of thousands of Pakistanis, should be overly concerned about such small things that may lead to leaking of data into the wrong hands.
Thanks Uzair Farooqui for the tip.