An audit report has flagged serious data security lapses at the Directorate General of Petroleum Concessions (DGPC), the body responsible for issuing oil and gas exploration licenses in Pakistan, warning that sensitive information remains exposed due to the absence of proper cybersecurity policies.
The report found that DGPC lacks clear policies for data access, encryption and change management, leaving critical information vulnerable to growing cyber threats. It also noted the absence of an additional verification system to safeguard sensitive records.
Without automated monitoring, the directorate has no ability to detect cyberattacks in a timely manner, the report said, adding that technical data is not encrypted, which increases the risk of unauthorised access.
According to the audit, the lack of data encryption could lead to data leaks and system compromise. Weaknesses in cybersecurity controls have left the information system vulnerable, while financial data within the management system was found not to be updated on time.
The report identified serious flaws in the monitoring of financial information submitted by companies and in the maintenance of accurate records. It said DGPC software was incapable of fully monitoring company project data, while the absence of an effective transcription quality check system raised concerns about the reliability of technical records.
Inadequate oversight of technical data submissions, including 3D and 2D seismic survey data, was also flagged in the report.
To address these risks, the audit recommended introducing a multi-factor authentication process to reduce information security threats. It further called for immediate strengthening of data protection, access control and log monitoring systems, stating that DGPC needs to improve its cybersecurity and governance safeguards.