PITB Publicly Exposed the Private and Sensitive Data of Thousands of Individuals

Punjab Information Technology Board was found responsible for exposing the privacy of thousands of Pakistani individuals.

The security bug was mainly due to an amateurish directory permissions, that allowed the directory listing on one of the PITB servers that houses tons of information. This basically allowed easy and simple access to private and sensitive data of thousands of citizens.

Those with very basic computer knowledge could access the exposed directory. They could access and download/dump dozens of GBs of the private data that included personal information such as:

  • CNIC numbers
  • Front and Back of CNICs
  • Scanned copies of all the educational degrees
  • work experience,
  • CVs and more.

The bug has now been taken care of and it bears mentioning that we are running this story after the server has been secured.

PITB said that their servers are usually secure and are routinely monitored for any flaws. This very specific incident, however, remained unattended due to a recent server upgrade, PITB said.

We have seen this happening before where organizations — mainly due to poor planning — exposed private and sensitive data of their users, students or job applicants.

At a time when digital identities are getting more and more valuable and crucial for anyone, exposing private data of anyone can ultimately become a nightmare for individuals.

Moreover, organizations like PITB, that handle and maintain records of hundreds of thousands of Pakistanis, should be overly concerned about such small things that may lead to leaking of data into the wrong hands.

Thanks Uzair Farooqui for the tip.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK

  • Talal Masood

    When you relay on students and non-professional people to build corporate level product, this happens. That’s why a professional charges you tons of money. Experience counts, only education with ‘Network Security’ subject does not.

  • Farhan

    Shh! You’ll upset the greatest IT person of Pakistan Mr Umar Saif!

    • proclaimed IT LORD

      • Fahad Uddin

        • Fahad Uddin

          • this is like
            ہمارا بیٹا 3 روپے میں 1000 ایس ایم ایس کرلیتا ہے

    • Irfan Nasim

      don’t agree with you, the greatest is not enough. he needs to engaged a experienced professional personale.

  • Uzair Farooqi

    Aamir bhai I dont see any credits here. Lol ?

    • aamir7

      do you deserve the credit? after bashing me this bad?

      • Anony

        You only give credit to people who are nice to you?


        • aamir7

          I was kidding and said this in a light mood.

  • M Khizer Javed

    ahhahah xD Hackers Everywhere :P I bet The Data is Dumped already :P

  • Hammad Rasheed

    “This very specific incident, however, remained unattended due to a recent server upgrade.”
    Directory permissions is a basic thing when putting files on server.
    You hire amateur guys and then make lame excuses.

    • Uzair Farooqi

      Most probably work of Internees

    • Uzair Farooqi

      I even sent an email to PITB and tweeted Umer Saif but they didn’t respond

  • Asad Memon

    Does anybody have the dump? I think we need to make a lesson out of this one.

    • Maavuz Saif

      You want to get arrested? because thats how you get arrested :D

    • Fahad Uddin

      you want to be news again? This time for the wrong reasons :p

  • Bilal

    This issue was shared with them (Dr. Umer Saif) on 03-Aug-2017 and no action was taken till yesterday. Today it is fixed.

  • Nighmare! It’s literally the basics of publicly exposed machines with any sesotive data.

    Do they have any type of monitoring on these servers at all? Would they be able to produce an estimate of amount of data exposed and downloaded? I doubt, unfortunately.

    • Uzair Farooqi

      18000+ individuals data containing all sensitive information was openly available. It seemed to me like someone did it deliberately…

      • Only ITU data or tenant info also?

        • Uzair Farooqi

          It was the data of job applicants who applied on various posts advertised by PITB recently

  • Deyo fyr kuriyan de number…

    • Uzair Farooqi

      lol :D

    • ambar ny sheedy nal ki kita c, yaad a na :D

      • saday naal hoya thoka…ghullt lumber dendi sanu :/

  • Irfan Sabh

    Actually no one is serious for privacy.
    If they are, they must think positively about the servers that are already physically available to enemy countries.
    And they have imposed their willing polices to us…

    Did any one think about it???

  • Umer Aziz

    Thanks for sharing.. I will try to contact PITB with a PPT on importance of personal data and its protection :P
    But can somebody tell me what are they hosting? As far as I know, they are providing public/private cloud hosting. Does anybody know which organization’s data got compromised? Thanks!

  • wight walker

    While praying for a shaheed SSP, someone looks so happy to see his own name on the name plate

  • NOOB

  • Muzamil Sarfraz

    not a new news,knew this since July, they didn’t make the pages private trouble for the women particularly.

    • Uzair Farooqi

      It was not just about the pages. It was about the documentation. CNIC pics, Educational records, work experience etc…

      • Muzamil Sarfraz

        yes i know you could just change the url to access everything(pages containing the data), they didnt make anything private.

  • shahid jamal tubrazy

    An open letter to Dr. #UmarSaif Instead of posting threats of legal action by govt. Make clear about your I.T system securities. news may be true or false. of course you can take legal action, but first, you hold huge sensitive data, assure us, whether is it save all the way. Coz stealing of sensitive can cause irreparable loss to innocent citizens. Regards Shahid Jamal Tubrazy, Cyber Security Consultant & Lawyer.