Auditor General of Pakistan (AGP) has directed the Federal Board of Revenue (FBR) to explain the hacking of the FBR systems, massive breakdown of data center and E-Portal, and progress on the IT security system upgrade.
According to AGP’s report about the FBR website hack, the contract executed between FBR and Pakistan Revenue Automation Limited (PRAL) provides for “data security”. The PRAL will not share FBR’s data with any other department, agency or tax practitioner. Additional system security and access control policies and procedures applicable to services shall be set forth as per standard data governance rules. In the event of an actual or threatened breach of FBR’s data security including a firewall breach, PRAL will fully cooperate with FBR to secure the data. Firewall and security certifications for applications listed must be kept updated at all times. The security certification purchased for FBR’s applications must not be used for any other commercial project undertaken by PRAL.
During audit of accounts of the Chief Executive Officer PRAL Islamabad for the Financial Year 2020-21, it was observed that massive breakdown of FBR’s E-portal had occurred all over Pakistan as all the applications including Inland Revenue Information System (IRIS), Integrated Tax Management System (ITMS), Weboc, One Customs etc. were hacked.
It is pertinent to mention that during the year ending on June 30, 2021, an amount of Rs. 990.00 million was expended for services rendered by PRAL in addition to equipment and assets provided by FBR.
In view of PRAL in addition to eq foregoing, the audit observed that PRAL could not maintain an adequate and effective system despite reasonable funds provided by FBR. As per contract for data security executed between FBR and PRAL, it was agreed that firewall and security certification for applications of FBR must be kept updated at all times. PRAL informed that data center had adequate firewalls due to which data was not stolen by hackers. However, improvements and system upgrade was in process.
The AGP emphasized that the fact finding report prepared by the committee, duly certified by Member IT regarding massive break-down of data center and d e-Portal of FBR, may be furnished to audit along with progress on up-gradation of the system, under intimation to the AGP.
FBR and Fedral Govt. Should explain & publicly why such breach occurred and held responsible.
very good job AGP has done.. applaudable