PITB Publicly Exposed the Private and Sensitive Data of Thousands of Individuals

Punjab Information Technology Board was found responsible for exposing the privacy of thousands of Pakistani individuals.

The security bug was mainly due to an amateurish directory permissions, that allowed the directory listing on one of the PITB servers that houses tons of information. This basically allowed easy and simple access to private and sensitive data of thousands of citizens.

Those with very basic computer knowledge could access the exposed directory. They could access and download/dump dozens of GBs of the private data that included personal information such as:

  • CNIC numbers
  • Front and Back of CNICs
  • Scanned copies of all the educational degrees
  • work experience,
  • CVs and more.

The bug has now been taken care of and it bears mentioning that we are running this story after the server has been secured.

PITB said that their servers are usually secure and are routinely monitored for any flaws. This very specific incident, however, remained unattended due to a recent server upgrade, PITB said.

We have seen this happening before where organizations — mainly due to poor planning — exposed private and sensitive data of their users, students or job applicants.

At a time when digital identities are getting more and more valuable and crucial for anyone, exposing private data of anyone can ultimately become a nightmare for individuals.

Moreover, organizations like PITB, that handle and maintain records of hundreds of thousands of Pakistanis, should be overly concerned about such small things that may lead to leaking of data into the wrong hands.

Thanks Uzair Farooqui for the tip.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • When you relay on students and non-professional people to build corporate level product, this happens. That’s why a professional charges you tons of money. Experience counts, only education with ‘Network Security’ subject does not.

  • “This very specific incident, however, remained unattended due to a recent server upgrade.”
    Directory permissions is a basic thing when putting files on server.
    You hire amateur guys and then make lame excuses.

  • This issue was shared with them (Dr. Umer Saif) on 03-Aug-2017 and no action was taken till yesterday. Today it is fixed.

  • Nighmare! It’s literally the basics of publicly exposed machines with any sesotive data.

    Do they have any type of monitoring on these servers at all? Would they be able to produce an estimate of amount of data exposed and downloaded? I doubt, unfortunately.

  • Actually no one is serious for privacy.
    If they are, they must think positively about the servers that are already physically available to enemy countries.
    And they have imposed their willing polices to us…

    Did any one think about it???

  • Thanks for sharing.. I will try to contact PITB with a PPT on importance of personal data and its protection :P
    But can somebody tell me what are they hosting? As far as I know, they are providing public/private cloud hosting. Does anybody know which organization’s data got compromised? Thanks!

    • It was not just about the pages. It was about the documentation. CNIC pics, Educational records, work experience etc…

      • yes i know you could just change the url to access everything(pages containing the data), they didnt make anything private.

  • An open letter to Dr. #UmarSaif Instead of posting threats of legal action by govt. Make clear about your I.T system securities. news may be true or false. of course you can take legal action, but first, you hold huge sensitive data, assure us, whether is it save all the way. Coz stealing of sensitive can cause irreparable loss to innocent citizens. Regards Shahid Jamal Tubrazy, Cyber Security Consultant & Lawyer.


  • >