In a serious breach of security, the private and confidential data of Pakistanis got compromised due to government officials sharing their passwords that were used to access NADRA data.
According to details shared with ProPakistani, the data breach occurred when NADRA gave access of its servers to Punjab Information Technology Board (PITB), which wanted to digitize citizens’ data by linking CNICs with every other department, including but not limited to education, health, police and land registry.
There is currently no evidence available with ProPakistani whether a bigger dump of entire database was extracted or not
As part of the process, access to NADRA data was given to authorized users in different departments in Punjab, who then allegedly shared their credentials leading to data being extracted and being sold online for a nominal price.
We have noticed a video being shared on Whatsapp claiming that PITB and NADRA have been hacked and data has been leaked online, which is untrue according to the information we have right now.
Please note that the leakage of data through hacking and misuse of authorization (sharing your password with friends) are different types of breaches and must be distinguished accordingly.
So if someone tells you that PITB or NADRA are hacked, we can confirm that it’s untrue.
The information about Pakistani citizens sold online included names, addresses, driving licenses associated with CNIC numbers, criminal records, call details, location, whether or not someone has taken a loan and so on.
The data was sold in private groups on Facebook and Whatsapp as well as directly by those who have or had access to the system. In one case, call records of any cell phone number were being sold for Rs. 100 only.
NADRA says that it’s aware of the situation and claims that PITB was responsible for the safety of the data. It said that a deadline has already been given to the Punjab IT Board to resolve the matter.
Dr. Umar Saif, while speaking with ProPakistani, said that PITB is actively revoking access of the people who misused their access and said that departmental inquiries and action has been taken against the responsible personnel.
According to Dr. Saif, all reported instances have been resolved and they are actively looking for any breach of authorization to block the access.
There is currently no evidence available with ProPakistani whether a bigger dump of entire database was extracted or not, but we can confirm that dozens of officials have access to PITB developed systems which can reveal pretty much all information about Pakistani citizens and this access was misused.
As a reference, some 30 officials have access to the criminal record of Pakistani citizens in Punjab.
Similarly, other departments may have a similar number of officials with direct access to critical data.
It’s no secret that security is often an afterthought in Pakistan. The current case makes it clear that in addition to weaknesses in security infrastructure, we can’t even rely on the processes being foolproof.
An approach towards security can never be reactive, it has to be proactive. And controls need to be put in place to immediately identify a potential breach when it happens, rather than when it’s reported.
In addition to severe punishment for people who were trusted with access to sensitive data to serve as a deterrent, the relevant authorities need to urgently review their security processes and infrastructure.
Thanks to the InfoSec Security Team for the tip