In a serious breach of security, the private and confidential data of Pakistanis got compromised due to government officials sharing their passwords that were used to access NADRA data.
According to details shared with ProPakistani, the data breach occurred when NADRA gave access of its servers to Punjab Information Technology Board (PITB), which wanted to digitize citizens’ data by linking CNICs with every other department, including but not limited to education, health, police and land registry.
There is currently no evidence available with ProPakistani whether a bigger dump of entire database was extracted or not
As part of the process, access to NADRA data was given to authorized users in different departments in Punjab, who then allegedly shared their credentials leading to data being extracted and being sold online for a nominal price.
Update:
We have noticed a video being shared on Whatsapp claiming that PITB and NADRA have been hacked and data has been leaked online, which is untrue according to the information we have right now.
Please note that the leakage of data through hacking and misuse of authorization (sharing your password with friends) are different types of breaches and must be distinguished accordingly.
So if someone tells you that PITB or NADRA are hacked, we can confirm that it’s untrue.
The information about Pakistani citizens sold online included names, addresses, driving licenses associated with CNIC numbers, criminal records, call details, location, whether or not someone has taken a loan and so on.
The data was sold in private groups on Facebook and Whatsapp as well as directly by those who have or had access to the system. In one case, call records of any cell phone number were being sold for Rs. 100 only.
NADRA says that it’s aware of the situation and claims that PITB was responsible for the safety of the data. It said that a deadline has already been given to the Punjab IT Board to resolve the matter.
Dr. Umar Saif, while speaking with ProPakistani, said that PITB is actively revoking access of the people who misused their access and said that departmental inquiries and action has been taken against the responsible personnel.
According to Dr. Saif, all reported instances have been resolved and they are actively looking for any breach of authorization to block the access.
There is currently no evidence available with ProPakistani whether a bigger dump of entire database was extracted or not, but we can confirm that dozens of officials have access to PITB developed systems which can reveal pretty much all information about Pakistani citizens and this access was misused.
As a reference, some 30 officials have access to the criminal record of Pakistani citizens in Punjab.
Similarly, other departments may have a similar number of officials with direct access to critical data.
It’s no secret that security is often an afterthought in Pakistan. The current case makes it clear that in addition to weaknesses in security infrastructure, we can’t even rely on the processes being foolproof.
ALSO READ
NADRA Has Issued Over 72,000 CNICs to Illegal Foreigners
An approach towards security can never be reactive, it has to be proactive. And controls need to be put in place to immediately identify a potential breach when it happens, rather than when it’s reported.
In addition to severe punishment for people who were trusted with access to sensitive data to serve as a deterrent, the relevant authorities need to urgently review their security processes and infrastructure.
Thanks to the InfoSec Security Team for the tip
lol, koi haal nahi!
So true. I have personally been a victim to such security breaches. Very common in Lahore.
This happen when you give access to the data to not so qualified people. If Nadra could have provided just an API access to PITB the possibility of this breach must be reduced.
We have a right to know whether anyone looked into us lately. Someone please sue PITB.
What an atrocity.
I am literally scared after reading this today.. this is worst form of terrorism..
Wesy me b heraan tha jb Online Database Dumb mill rha tha 40GBs ka hai
jo k Old hai 2013 tak ka
Even me ne apna Cell no likha sara Data aa Gya
I was Shocked to see
:/
This is huge, it should be taken up by national press. Also the institutions FIA, Nab, Supreme court U/A 184 must take action. This is a breach of national security and trust, public officials allegedly compromised the data of, i don’t know millions? and then sold them illegally is a gross misconduct on their part if all that had happened. Institutions must investigate this matter. We should report this matter to FIA. I’m never been more disappointed in my entire life. I don’t know where we are all heading.
This is a huge insult to all law abiding citizens of the country. This is nothing less than terrorism and treason against the state. It is disgusting how the screen shots show that admins of these groups are using Islamic greetings despite the hideous crimes they are committing.
It’s a shame that all the government machinery is turning a blind eye to such a huge breach. This should make front page headlines in all newspapers. There is no privacy in Pakistan whatsoever. Those responsible should be behind bars and these types of breaches pose serious security threats to the country at large – its a matter of shame what our incompetent, corrupt government is doing. There are even scammers now pretending to be security officials and calling people to steal their confidential data by harassing and intimidating them.
Where is the state ? Where is such a huge defense and security budget going ???? Why is such a significant chunk of Pakistan’s security budget going towards giving out expensive properties to senior military officers purchased using taxpayers money instead of where it should actually go…
Across the board accountability needs to be carried out in Pakistan immediately and money should be spent where it matters and not for serving the elite !
Lol i just bought 2 million Pakistani number from dream market for $50
It’s high time for the GoP to have comprehensive law on Customer Data Protection.
Foreseeing vulnerability of national assets, in 2016, I filed writ titling S J Tubrazy v fop, for safety and security citizens of Pakistan. #Careem and PITB data has been hacked every Pakistani wants know how much and what type sensitive data been hacked by hackers.