Pakistan’s data privacy nightmare is spiraling as Jazz, the country’s largest telecom operator, faces renewed backlash over alleged misuse of user data. This comes just as a major Pakistan Telecommunication Authority (PTA) breach has exposed systemic vulnerabilities at the very institution meant to safeguard citizens’ digital rights.
Dozens of websites are offering sensitive data, including mobile location information, call records, and overseas travel histories. According to BiometricUpdate.com, mobile location data is being sold for 500 Pakistani rupees ($1.76), detailed call records for PKR 2,000 ($7), and travel histories for PKR 5,000 ($17.55).
Only months ago, Pakistan’s National Cyber Emergency Response Team reported that login credentials for over 180 million users had been stolen in a global data leak. Victims included users of social media, government portals, banks, and healthcare systems.
Ahmad Hassan, CFO of Daraz took to LinkedIn in the wake of finding out malpractices at Jazz. He accused Jazz of sharing customers’ mobile numbers with insurance companies and commercial enterprises for marketing campaigns.
“I am really shocked that Jazz is sharing our mobile numbers with different commercial enterprises including insurance companies to promote their products. It is really frustrating to receive these unsolicited calls at most inappropriate times. Someone really needs to take a notice of this exploitation & monetization of customer data by the biggest Telcos of Pakistan,” Hassan posted on LinkedIn.
His comments echo long-standing frustrations among Jazz users, who frequently complain about spam calls, promotional SMS, and privacy violations.
Jazz has faced multiple major data leaks over the last five years. In 2020, a massive breach exposed details of over 115 million mobile subscribers, including Jazz customers, marking one of the biggest privacy incidents in Pakistan’s history.
In 2022, dark web forums reportedly sold 71 million Jazz records, including names, CNICs, and SIM registration details. While PTA denied an official breach, it admitted there had been “unauthorized access.”
At that time, Jazz clarified their stance on data leaks:
In 2023, Jazz was fined Rs. 10 million by PTA; not for privacy issues but for overcharging customers. Despite repeated privacy controversies, there has been no regulatory penalty specifically for mishandling or leaking user data.
These incidents have eroded public trust, raising concerns that Pakistan’s largest telecom operator has failed to adopt world-class security practices.
Jazz’s privacy policy mentions that they might share customer data with third parties for things like billing, customer service, and marketing partnerships. However, they make it clear that when it comes to agreements with digital ad exchanges and ad agencies, they only use anonymized data.
Although Jazz has faced data breaches in the past where hackers sold user data illegally, the company itself doesn’t sell raw customer data to other businesses in Pakistan. At least, that is what the official narrative has been so far.
In 2025, hackers infiltrated 1,300 government websites, including systems under PTA’s supervision, and exposed sensitive records of senior officials. This incident has shaken confidence in the regulator’s ability to protect critical telecom infrastructure and enforce accountability on operators like Jazz.
The breach has sparked calls for an independent cybersecurity authority with powers to investigate telecom operators and mandate public disclosure of data leaks.
Pakistan’s Personal Data Protection Bill (PDPA), which would require breach disclosure within 72 hours, is yet to formalize. As shocking as it is, there is no direct cyber-protection law in Pakistan that safeguards individuals and entities from data leaks and sell-offs.
Without an enacted PDPA, over 80 million Jazz users have no clear legal recourse if their data is leaked, shared, or monetized without consent.
To protect yourself against unsolicited marketing cold calls, here is something you can do:
In case of data sell-offs on the dark web, you can confirm if you were involved in data breach. Google has started notifying users of their email/password leaks on dark web recently, but if that is not enough, you can use services like HaveIBeenPwned.com to see if your email/phone number has been leaked.
If your data is breached, immediately do the following:
Some more protective measures you can take is to use a VPN while surfing the internet and avoid using public Wi-Fis especially if you have to use bank apps.
If telecos like Jazz, Telenor, Ufone and Zong are involved with data selling which eventually reaches dark web, there is not much anyone can do but to pressurize the authorities for justice. Understand that leaked data and data sell-offs are irreversible on a larger scale. It is better to focus on damage control. Stay alert for phishing calls, scams, or fake loan offers targeting you after a leak, and do all protective steps.
PTA has denied of any large data breaches of telecommunication sector, while Jazz has not issued any public statement about the accusations.