August 16, 2021 – A successful hacking attempt of the largest data centre controlled and managed by the Federal Board of Revenue (FBR) – the authority to regulate taxation in Pakistan – was reported over the weekend, hinting at the compromise of information of millions of citizens and trillions of Rupees of transactions stored on this system. According to the reports, the hackers took advantage of the vulnerability in the Microsoft Hyper-V software that allows companies to set up virtual computer environments and to run multiple operating systems on one physical server.
The news of the hacking came as, according to a statement by FBR on Saturday dated August 14, the data centre was undergoing routine migration for the upgradation of the system to enhance its productivity. However, the statement further states, “The stakeholders, who are being provided services from the data center, are informed that there were unforeseen anomalies during the migration process, which has resulted in the unavailability of services since early hours of last night.”
In another statement on Sunday, the authority further clarified that the downtime of the system was due to the migration of the system, and does not acknowledge the reports of a major hacking of its data centre resulting in the compromise of sensitive data.
— FBR (@FBRSpokesperson) August 15, 2021
However, responding to a tweet regarding the hack, Chairman NADRA Tariq Malik said on Twitter that NADRA’s technical teams were immediately deployed to assist FBR when it reached NADRA for damage control. He writes, “#NADRA was approached last night to help #FBR -I immediately deployed NADRAs Tech team to control damage and restore operations. Working 24/7 with FBR we are able to restore customs’ ops on priority to avoid public inconvenience. We will restore all data center ops InshaAllah.”
#NADRA was approached last night to help #FBR -I immediately deployed NADRAs Tech team to control damage and restore operations. Working 24/7 with FBR we are able to restore customs’ ops on priority to avoid public inconvenience. We will restore all data center ops InshaAllah.
— Tariq Malik ™ (@ReplyTariq) August 15, 2021
Responding to a request for comment on the lack of transparency, acknowledgement of the hack, and keeping citizens in the dark regarding the compromise of their data, an FBR spokesperson told DRM to “follow FBR Spokesperson Twitter account”, which did not offer any clarification of the hack at the time of writing the article.
Sadaf Khan, co-founder of Media Matters for Democracy that runs Digital Rights Monitor, says, “It’s interesting that FBR is neither confirming nor denying the reports of the hack on its data centre. We would assume that the moment the news got out, there would be a statement offering full transparency on the extent of the damage, and assuring citizens that damage control is in the process.” She further adds that it is the responsibility of government bodies to be transparent in the events like this, “This is not the first incident where citizens’ sensitive data on government-controlled servers is compromised, and this is also not the first time we are not offered an explanation and transparency. The least that could be done right now is to inform what kind of data was compromised, what is at risk, what has the authority done to control the damage, and how does it plan to mitigate the risk of such instances from happening again.”
According to Express Tribune, FBR received multiple warnings of potential cyber attack in the days leading up to the hack but the taxation authority ignored these alarms and continued to take no action to secure the data centre, resulting in putting sensitive financial information of businesses and citizens at risk.
Following this news, network access to more than 1500 computer systems of FBR was up for sale on a Russian cybercrime forum. According to a tech news website, HackRead, this network access is being sold for $26,000, equivalent to PKR 4,274,000.
Sadaf says that it should not be this easy to gain access to critical information of any country, and adds that this vulnerability, lack of transparency and accountability is the result of the absence of a data protection law in the country. “Civil society has time and again stressed on the need to pass a comprehensive data protection law, all because of events like this. We know that these hacking attempts will continue to take place because protection of data continues to be the least important priority of the government departments controlling and managing digital data of citizens.” She concludes, “We have not received any update on the data protection bill that is in the works since 2018. The hacking of FBR’s data centre is only an indication that the ministry of IT must prioritise the passing of the law that protects citizens’ data and interests rather than giving control of their information to the authorities as indicated in the current drafts of the bill.”
At the time of writing this story, official FBR channels have not issued any statement acknowledging the hack and have not reported the extent of the damage incurred.