While National Institutional Facilitation Technologies (Pvt.) Limited claimed that it was able to nullify an “attempted breach” that took down both of its data centers in Islamabad and Karachi two weeks ago, turns out the Cheque Clearing House has lost terabytes of data.
Our channel checks have informed us that NIFT – the only Automated Cheque Clearing House and prominent Payment System Operator in Pakistan – wasn’t hard to crack. Within moments of the initial breach, hackers downloaded several terabytes of data, which include scans of all the cheques on the NIFT database.
Hackers have claimed that they have gained access to and downloaded the ePay source code stored on one of the most common servers on the platform and said that the ePay source will be uploaded for full public access in the near future.
According to a sample seen by ProPakistani, a lot of the onboarding data, personal data including merchant data, audit logs, and scanned passport documents were stored in a “confidential” folder.
“We think you all have already read the news of this company. They claim ‘our customer’s data and privacy is sacrosanct’. Today we will clearly demonstrate that this is not true. By the way, the representative of this company did not even try to contact us to find out if we have taken any of their data,” one of the hackers said in an emailed response.
“We downloaded several terabytes of data, which include scans of all the cheques from their database. All the source code of the ePay project was stored on one of the most common servers, while a lot of personal data was also stored in a “confidential” folder. In the near future, we will upload all the source codes of their ePay service for public access,” they added.
The NIFT Spokesperson told ProPakistani, “Whereas a detailed investigation is ongoing, preliminary findings of the forensics team seem to suggest that limited customer data of an operational nature may have been compromised. However, NIFT is taking all necessary steps to protect its customers”.
The country’s sole automated Cheque Clearing House and Payment System Operator is weak and the State Bank of Pakistan needs to re-assess the platform’s license.
In response to ProPakistani’s query, SBP’s Spokesperson said, “NIFT’s operations have been controlled to be normalized and there is no inconvenience reported by customers within the banking system. The organization is investigating this incident and will submit a detailed report to the banking regulator about the factors behind this attack and ensuing measures to cope with this challenge”.
The day-to-day cheque clearance is proceeding as informed but the existing architecture isn’t robust enough to uphold the privacy of customers. Furthermore, it raises concerns about the State Bank of Pakistan’s auditing process; such flaws are not new and have occurred in the past.
Local finance management systems and networks require regular and comprehensive technical audits to identify and remove vulnerabilities. Training on Cyber Security and Social Engineering fundamentals should be encouraged while more platforms like NIFT (with hackproof security) should be introduced to minimize the occurrence of such issues in the future.