Sensitive personal information of millions of users of five telecommunication companies operating in Pakistan has allegedly been breached by an international lone hacker and is up for sale.
The hacker is demanding Bitcoin, Tether, or Ethereum equivalent of $2,000 and is using a Telegram account for communication and negotiating the price of sale.
The hacker claims that he has access to the personal information of approximately 500 million records of subscribers of Jazz, Telenor, Ufone, Warid, and Zong.
Here is a breakdown of the number of records of these telecom companies which the hacker claims he has access to:
- Jazz (140.6 million)
- Telenor (250.6 million)
- Ufone (33.2 million)
- Warid (6.5 million)
- Zong (68.7 million)
The hacker claims that the records are updated till March 2020. One sample file for each telecom company has also been shared by the individual for scrutiny.
ProPakistani has analyzed the samples which show that the files are in Microsoft Access database formats with .accdb and .mdb extensions and contain information such as names, mobile numbers, CNIC numbers, and addresses of the subscribers.
Speaking exclusively with ProPakistani, Zaki Khalid, a Rawalpindi-based strategic analyst, said that “on the outset, data samples shared for scrutiny appear legitimate. However, claims of the hacker, of the data being latest as of March 2020, can only be verified by the concerned telecom companies.”
Zaki went on to add that “there are reasons to argue these latest ‘leaks’ might be repackaged files of major breaches that occurred a few years ago. These claims cannot find closure until a thorough inquiry is conducted by the state. Lawmakers in the parliament must demand an immediate inquiry report from these telecom companies.”
On the other hand, the spokespersons for these five telecom companies have categorically rejected the claims of the hacker, adding that their initial investigations have confirmed that no customer data breach has occurred.
The telcos added that they believe in data privacy and take matters related to cyber security extremely seriously, asserting that they have employed comprehensive cyber security systems and procedures to detect and fend off cyber threats and take necessary protective measures. Their paramount priority is to keep our customer data secure, the spokespersons added.
Unfortunately though, this isn’t the first time that telecom companies have suffered similar data breaches. Time and again in recent years, the personal information of millions of Pakistani mobile phone users has been leaked online.
ProPakistani had access to such files in the past as well. We have seen the leaked data personally and can confirm the availability of such data on the internet in the past.
Notwithstanding repeated data breaches of millions of citizens, the government has not yet taken any robust action to hold the telecom companies accountable for their failure to protect the information of their subscribers.
The Ministry of Information Technology and Telecommunication (MOITT) had drafted the Personal Data Protection Bill (PDPB) months ago. The bill was modeled on the same lines as the EU’s General Data Protection Regulation (GDPR). The PDPB contains provisions on data localization and a central data protection authority to secure the personal in order to secure the personal data of the citizens. However, the bill hasn’t been signed into law yet which shows the indifferent attitude of the lawmakers regarding the protection of the personal information of the citizens.