A recent Senate committee meeting has brought to light a critical and ongoing data privacy crisis in Pakistan, with lawmakers challenging the Pakistan Telecommunication Authority (PTA) over persistent data breaches.
Personal information belonging to millions of Pakistani citizens, including SIM data, CNICs, travel histories, and records of Hajj applicants, has been compromised and sold on the dark web since 2022. The crisis is fueled by a longstanding policy vacuum, particularly the absence of a robust data protection law, which leaves citizens exposed and undermines national security.
The dark web, a hidden segment of the internet, is a bustling black market for stolen personal data. Unlike the surface web, it requires specialized tools like the Tor browser to mask user identities and traffic.
In these illicit marketplaces, databases containing personal identifiers are among the most damaging commodities, enabling identity theft and cybercrime on a massive scale. Experts have indicated that sensitive data like CNICs and SIM numbers are particularly valuable on the dark web.
The portion of the World Wide Web became notorious because it quickly became synonymous with illicit marketplaces, trading drugs, providing weapons, and other illegal goods and services.
The PTA, despite efforts to block websites selling the stolen data, confirmed the extensive leaks, acknowledging that even the PTA chairman’s own SIM data was compromised. This systemic failure is largely attributed to the delay in finalizing and enacting the Personal Data Protection Bill, 2023. While the bill, modeled on the EU’s GDPR, aims to regulate data handling and mandate breach notifications, it remains pending in Parliament.
The current legal framework, the Prevention of Electronic Crimes Act (PECA), 2016, focuses on punishing cybercrimes rather than proactively protecting privacy. It lacks clear provisions for data privacy rights, corporate accountability for data security, and robust enforcement mechanisms. This legal gap has facilitated the proliferation of data leaks and eroded public confidence in the state’s ability to protect its citizens.
Information exposed on the dark web is being sold at alarmingly low prices, further exacerbating the risks for affected individuals. According to local media reports, mobile location information is available for as little as Rs500 (~$1.76 USD), with detailed mobile records fetching Rs2,000 (~$7 USD), and international travel details selling for Rs5,000 (~$17.55 USD). Some reports indicate even lower prices, with personal information being sold for as little as Rs. 350.
The low cost of this sensitive data makes it easily accessible to malicious actors looking to exploit it for identity theft, fraud, or other nefarious activities.
The exposure of sensitive data has far-reaching consequences:
To address the crisis, Pakistan must implement a comprehensive strategy:
Challenges include reliance on foreign servers, resource shortages, and bureaucratic delays. However, experts emphasize that with the necessary political will and strategic investment, Pakistan can mitigate these threats.
Incident: According to an infographic by the Digital Rights Foundation, the National Database and Registration Authority (NADRA) database was reportedly compromised in 2017, with reports alleging that sensitive data fell into the hands of foreign intelligence agencies.
Context: This was part of a larger pattern of vulnerabilities and scandals at NADRA, including the issuance of thousands of fake CNICs over the years.
Incident: Hackers stole the credit and debit card details of over 19,000 users from around a dozen Pakistani banks. The data was subsequently sold on the “Jokerstash” dark web forum for prices ranging from $100 to $135 per card.
Response: In response, the State Bank of Pakistan (SBP) advised commercial banks to block international transactions for affected customers. The Federal Investigation Agency (FIA) acknowledged the breach and admitted the need for improved security.
Incident: Cybersecurity firm Rewterz discovered a data dump containing the personal information of 115 million Pakistani mobile users for sale on the dark web. The data included full names, addresses, CNIC numbers, tax details, and mobile phone numbers.
Context: The cybercriminal demanded 300 BTC (equivalent to over $2.1 million at the time). The breach was reportedly linked to a leak from telecom provider Mobilink (Jazz) but could have originated from a business partner or government agency.
Incident: A Joint Investigation Team (JIT) confirmed that the personal information of 2.7 million citizens was compromised from NADRA’s database between 2019 and 2023.
Findings: The JIT found that NADRA offices in Karachi, Multan, and Peshawar were involved, with the stolen data reportedly surfacing in Argentina and Romania. Disciplinary action was recommended against officials, and technology upgrades were suggested.
Incident: Pakistan’s National Cyber Emergency Response Team (N-CERT) issued a warning about a global data breach that exposed the login credentials and passwords of over 180 million internet users worldwide, including a large number in Pakistan.
Details: The leak, believed to have been caused by “infostealer malware,” compromised credentials for services like Google, Microsoft, Apple, Facebook, and various banking and healthcare platforms.
Incident: During a Senate committee meeting, lawmakers confirmed that the personal data of approximately 300,000 Hajj applicants, along with CNICs, travel histories, and SIM data, was circulating on the dark web. The PTA chairman acknowledged that even his own SIM data had been compromised since 2022.
Response: The Interior Minister ordered an investigation, and the PTA moved to block over 1,300 websites involved in the illegal trade of citizen data.
The ongoing data breach crisis comes across as a fundamental challenge to national security, economic stability, and public trust.
By finalizing data protection laws, strengthening enforcement, and investing in robust digital infrastructure, Pakistan has the opportunity to transform this crisis into a model for regional data privacy and security.