Sensitive information of millions of Pakistani citizens may have been compromised in what can be dubbed as the biggest data breach of Pakistan.
In August last year, ProPakistani reported that Punjab Information Technology Board (PITB) has exposed sensitive data of thousands of individuals that comprised of CNICs and scanned copies of personal documents. According to PITB, a bug that attributed to this exposition was taken care of, however, no comments were made on the possession of leaked data.
Nine months later, PITB is yet again in deep waters after it was revealed that sensitive information acquired through various PITB portals is now being sold publicly. This information comprises of personal and family data held by NADRA, criminal records tracked by the Police and call data recorded by telecom companies.
According to the reports and evidence received by TechJuice from two separate entities, the sensitive information compromised include:
- CNIC Information
- NADRA Family Tree Data
- Criminal Records
- Rent Tentee & Hotel Visitor Information
- Offline Databases of Registered Mobile Users
How did it happen?
The breach traces back to when PITB gained access to NADRA’s server after it was allowed to digitize the data of citizens by linking CNIC numbers to various public departments. This data could only be accessed through authorized users, however, it is now being alleged that these officials shared their credentials which were used for extraction and trading of sensitive information of Pakistani citizens.
A data archive of registered telecom users was also leaked online in late August and early September last year. The archive contains information about registered mobiles users of Pakistan categorized by their telecom companies. The archive is publicly available and contains personal information recorded for verified SIMs in terms of contact numbers, customer name, address, city and the telecom plan under use. Despite the leaked information been brought to light, the data remains available.
While some of the major groups that were visible yesterday are no longer showing up in Facebook search. One of the groups that TechJuice gained access to is still operating, however, the name has been changed to be in Urdu.
How is this data being publicly sold on social media?
As an aftermath of this, data was extracted and is now being sold publicly on Facebook and Whatsapp groups for as low as PKR 100. When TechJuice viewed one of these public groups, we were horrified to see that some of the members were running promotional campaigns for a limited time to share data for free. Complete NADRA family trees were also being sold on these groups.
Which application compromised this data?
PITB has developed various portals for digitizing diverse sectors. One such portal is AgriLoan that was developed to boost the agriculture sector of Pakistan. The portal service provides loans to small farmers through a convenient process in which all of the data is automated and can be accessed easily just by entering the CNIC of a registered farmer. PITB’s website states that all “stakeholders can access the database of over 350,000 registered farmers”. However, with reports of the recent data breach, it is evident that various unauthorized personnel also gained access to this database.
AgriLoan was being frequently used by the members of these questionable Facebook groups to trade NADRA data. The members were using CNIC numbers to extract comprehensive NADRA details from the portals such as the photograph associated with a CNIC number and locations. Users who had the credentials were commonly requested to extract photographs for a nominal price.
Upon research, TechJuice discovered that login credentials for Lahore and Sargodha districts were publicly shared for free. The username and password for the authorized access also appeared to be identical, indicating a huge security lapse. They also posted a step by step guide to help other users extract information from the portal.
The AgriLoan login panel was accessible till yesterday, however, the link is not working today. A tutorial on YouTube also explains how to extract CNIC data from the AgriLoan portal. The tutorial uses the same credentials for the Lahore district as revealed by the Facebook user above.
Allegedly Police Tool Kit used by Punjab Police and Pak vs World XI app were also compromising sensitive citizen information such as criminal records, vehicle registration numbers, locations and CNIC information against verified SIMs. Various users on the Facebook group claim to have access to the Police Tool Kit and were either selling login credentials or extracting information for other users.
What do NADRA and PITB have to say about this breach?
In conversation with ProPakistan, NADRA has revealed that they have been aware of the situation and pinned the responsibility on PITB for the safety of data. A deadline was already declared by NADRA for PITB to resolve this breach. NADRA has frequently mentioned the lack of security measures put in by PITB to protect the data.
ProPakistani also reached out to Dr. Umar Saif, who said that they are actively revoking the access of their portals and applications, while also launching inquiries and action against alleged personnel. He said that all instances have been resolved and they are actively blocking any breach of authorization. However, he did not comment on the absence of security protocols that were not deployed by PITB in the apps and portals under question.
TechJuice has reached out to NADRA for a comment. We also reached out to the InfoSec team who shared the details with us as #PITBLeaks, however, they declined to comment further.
[Update] Chairman PITB, Dr. Umar Saif has recently tweeted on the matter but it seems that PITB is also unaware of the culprits behind this data violation.
Punjab Government will be taking legal action for whoever is responsible for making and propagating false, unfounded and malicious content against government IT systems on whatsapp, facebook and twitter.
— Umar Saif (@umarsaif) May 7, 2018
On the other hand, InfoSec Team has also launched a campaign on Twitter;
#NADRA, police, and telecom data of citizens got leaked in the biggest #cybersecurity #breach in the history of #Pakistan. Everything from your address, call records, police records, driving license database, even the hotels u stayed in
— #PITBLeaks (@pitbleaks) May 7, 2018
How does it impact Pakistani citizens?
The scale of this breach is unfathomable and poses danger for each citizen whose information has been compromised. In the hands of criminals, anti-state actors and terrorists, the nonrenewable information puts the safety of every Pakistani citizens at risk. The CNIC numbers and location of citizens can be used to access bank accounts, modify criminal records, and track them. The question is, how will NADRA and PITB be held accountable for the breach? How will the perpetrators be tracked and brought to justice? Most importantly, how can the leaked information be prevented from cloning, usage, and modification?
The story has been updated to add Dr. Umar Saif’s official tweet and to reflect the evidence verified by TechJuice team.
Sajeel Syed has also contributed to this article.