FIA informs NA Committee of NADRA Data Breach; Denies Comments Afterwards

November 26, 2021 – On Thursday, November 25, Dawn.com reported that the Federal Investigation Agency (FIA) disclosed to the National Assembly’s Standing Committee on Information Technology and Telecommunication that the National Database and Registration Authority’s (NADRA) data has been compromised once again. However, the agency changed its remarks afterwards when committee members asked for details, and further released a statement calling reports in the media a misrepresentation of the agency’s comments.

NADRA’s Twitter account also posted a statement and “strongly denied” the remarks given by the Additional Director FIA Tariq Parvez in NA Committee. NADRA stated, “the biometric data of the citizens is completely secured,” adding that, “NADRA’s biometric data has not been hacked,” as suggested by the FIA.

According to the November 25 Dawn report, FIA’s cybercrime wing learned that the registration authority’s biometric data was hacked while fake SIMs were being issued. Tariq Pervez, Additional Director of FIA Cyber Crime Wing, informed the standing committee, “NADRA’s data has been compromised, it has been hacked.”

The report further suggested that the agency seized 13,000 fake SIMs in Faisalabad during a raid, whereas the PTA chairman informed the committee that there were in total 26,000 fake SIMS reported during the month of October alone. The FIA official told the standing committee that the investigative authority is understaffed with only 162 investigation officers; they received 89,000 cybercrime complaints since the hack but the body has been unable to resolve problems efficiently. The lack of resources and staff at the FIA has been highlighted by the agency as a barrier to handling the increasing number of cybercrime complaints that it receives under the Prevention of Electronic Crimes Act (PECA) 2016 that gives FIA the power to investigate these cases.

After the committee briefing, NADRA released a statement stating that the public biometric data was completely safe and had not been hacked. “The FIA statement regarding hacking of biometric data is based on a misunderstanding.” The NADRA official said that they would need clarification over FIA’s “unnecessary statement and misrepresentation of the issue.”

NADRA’s database has been compromised multiple times in the past where the servers were either hacked, accessed by unauthorized persons, or the information was sold off against nominal price. This data was made available on unsecured websites that enabled visitors to search anyone’s personal details based on their phone number or CNIC number. Digital Rights Monitor reported on the story in 2019 and reported one such website to the authorities which was later blocked from accessing in the country, however, remains accessible via VPNs and outside of Pakistan. In addition, just last year NADRA’s data was reportedly breached, the responsibility of which was denied by both the Ministry of Interior and NADRA.

However, NADRA is not the only government entity that has been subject to data breaches and hacks in the past. The servers of the Federal Board of Revenue (FBR) – the authority responsible for collecting and managing financial data of citizens and businesses in the country – were hacked in August this year putting the sensitive financial information worth millions and billions of rupees under threat. Previously, in July 2019, the FIA informed the Senate Standing Committee on IT that the FIA officials at airports were involved in stealing travel data of the passengers used to register new mobile phones as part of the government’s Device Identification Registration and Blocking System (DIRBS) program. The same year a breach was reported to the Punjab Information Technology Board (PITB) that resulted in the loss of confidential data which was sold over the internet by cybercriminals for as low as Rs. 100.

Breaches of databases controlled by official government departments and regulators are a regular occurrence putting the sensitive, critical, and personal data of over 220 million Pakistanis at risk of being misused and abused. Civil society and the technology industry has emphasized on the need of data protection legislation in the country in the wake of these breaches and as the government focuses on digitization in the country as part of its Digital Pakistan vision.

The Personal Data Protection Bill (PDPB) has been in the works since 2017 but has not yet been passed. The proposed legislation by the Ministry of Information Technology will “govern the collection, processing, use, and disclosure of personal data and to establish and make provisions about offenses relating to violation of the right to data privacy by collecting, obtaining, or processing of personal data by any means.”

Civil society has raised concerns over the ambiguity in the law and has highlighted the potential of abuse of power that law can lead to. In April 2021, Media Matters for Democracy said that it is “concerned about the insertion of draconian and anti-democratic sections” in the bill, and further mentioned that, “We wish to remind the government that the purpose of a data protection law is to protect citizens from the misuse and abuse of personal data, and not to create ways to enable a government’s access and control over the data.”

According to reports dated November 22, The Ministry of IT & Telecommunication has finalised the data protection bill and has sent the draft to the Ministry of Law for vetting before it will be sent to the Cabinet for approval. 

Mishaal is a Project Coordinator at Media Matters for Democracy. She is a Public Policy graduate with past experience as content strategist and research writer. Her main areas of interest are political science, world history, and public policy.

No comments

Sorry, the comment form is closed at this time.