The National Cyber Emergency Services Response Team (PKCERT) has issued new data protection guidelines for organizations handling citizens’ personal information, amid rising cyber threats.
The advisory, applicable to companies managing Personally Identifiable Information (PII), directs firms to classify data by sensitivity, adopt advanced encryption, enforce multi-factor authentication, and retain data only for legally required durations.
Sectors affected include banks, telecoms, internet providers, logistics firms, government bodies, healthcare, and educational institutions. PKCERT urged immediate system reviews, continuous monitoring, and staff training to prevent breaches.
The body warned that poor data protection could result in identity theft, fraud, privacy breaches, and national security risks, with cybercriminal gangs, state-backed groups, and malicious insiders among likely threat actors.
PKCERT also advised citizens to use strong passwords, enable two-factor authentication, and share CNIC or personal documents only when necessary. According to PKCERT, inadequate data protection can lead to “identity theft, fraud, mass privacy breaches, operational disruption, erosion of public trust, national security risks and legal and regulatory consequences.”
For individuals, it is advised to limit the sharing of CNICs and documents, use strong passwords, enable multi-factor authentication, and avoid oversharing online.
Earlier this year, PKCERT revealed that credentials of over 180 million Pakistani internet users had been stolen in a global breach, while a 2024 JIT found that 2.7 million Nadra records were compromised between 2019 and 2023.