January 22, 2022 – On January 15, news started circulating on Twitter about Telenor and Jazz databases getting hacked. A user, Zaki Khalid, tweeted that the database that is up for sale in a Telegram group, contains a private database of Telenor which includes the personal information of 67.48 million subscribers, including their names, phone numbers, CNICs, and postal addresses. The hacker had allegedly put the data up for sale in exchange for cryptocurrency equivalent to US $250. The size of eleven leaked files consisting of Telenor data is estimated to be 14.3 GB.
Telenor private database is on sale by a hacker for Bitcoin/ Tether/ Ethereum equivalent to USD 250.
Contains 11 files in .accdb (Access Database) format containing 67.48 million records with columns titled ‘Number’, ‘Name’, ‘CNIC’ and ‘Address’.
Total size: 14.3 GB. pic.twitter.com/GAZcmA6tX9
— Zaki Khalid (@misterzedpk) January 15, 2022
Another account, OSINT Insider, shared that the database also includes records of 71 million subscribers of Jazz.
Telenor hacked database includes 67 million records while Jazz database includes 71 million records.
It is not clear if database has been recently hacked or it is the data from the last hack that happened in 2021.
— OSINT Insider (@OSINT_Insider) January 15, 2022
In a later update, Khalid said that the hacker, who previously claimed to have accessed Telenor and Jazz’s databases, now has illegally retrieved data of all telecommunication companies in Pakistan, and has access to sensitive data of 500 million users, of which most of them have subscribed to Jazz and Telenor’s services. According to Khalid, the hacker has claimed in the Telegram chat where he is allegedly selling this data, that the records are updated till March 2020 and is selling it at a price of US $2000.
The same hacker who was selling Jazz + Telenor datasets is now selling datasets of all telcos totalling ~500 million records. Claims that all records are updated till March 2020.
— Zaki Khalid (@misterzedpk) January 17, 2022
Response of Telecom Companies
While most of the telecom companies have continued to remain silent on the news, Telenor Pakistan’s official account has denied reports of the data breach via multiple Twitter replies, and revealed that the initial investigation conducted by the company has confirmed that the data of their users is safe and has not been compromised. The tweet stated that further investigations on the issue are ongoing.
Hi. Our initial internal investigations confirm that no customer data breach has transpired from any of Telenor Pakistan’s system(s). We will continue further investigate this matter.
1/2— Telenor Pakistan (@telenorpakistan) January 15, 2022
Responding to another tweet, Jazz also denied the reports of their data being compromised.
Jazz continues to develop advanced cyber security capabilities to actively protect its networks, products and customer data. There have been no reports of any unwanted activity on our network or breach of subscribers’ data. (1/2)
— Jazz (@jazzpk) January 16, 2022
Both Telenor and Jazz are amongst the leading players in the telecommunication industry in Pakistan. Claims regarding the establishment of appropriate and comprehensive cybersecurity systems by the two companies have been made through their tweets, and users have been ensured that their data is safe and secure.
Hija Kamran, the Digital Rights Lead at Media Matters for Democracy which runs Digital Rights Monitor, and a privacy advocate, says, “It is imperative to understand that data breaches and hacks are not the only way personal and sensitive data can be leaked. In fact, unauthorised access is a concern that needs to be considered as well. While the servers may not have been breached, a person with access to the server or database could have copied and leaked this data.” She adds, “Technically, the servers were not breached, and the investigation of the telecom companies would also reveal that no hack took place. But we have seen multiple times in the past that the weakest link in data protection is a human themselves.”
Occurrences of data breaches and unauthorised access to servers are very common in Pakistan. Even for Telenor, this is not the first reported incident of potential database compromise in Pakistan, in fact, it experienced a cyberattack in 2017 as well where some employees noticed abnormal activity on their work computers, but the telecom company formally dismissed news of such sort. In 2019, a website was found to have been hosting NADRA databases of citizens, with accuracy of 9 out of 10 people’s information. The database was outdated for many individuals whose information was run to check the authenticity of the data. It was later revealed that while no servers were hacked to acquire this particular set of data, an unauthorised person had gained access to the citizenship database who later dumped it on the website for anyone to access. The website was later blocked by the PTA. More recently, in November 2021, the Federal Investigation Agency (FIA) had informed the National Assembly Committee on IT that NADRA’s database was hacked, a report that was denied by NADRA and a comment that was also refuted by the FIA in a statement. A few months prior to this news, in August 2021, the online database of the Federal Board of Revenue (FBR) that stores sensitive financial and tax information on citizens and businesses in the country, was also illegally accessed by hackers, putting at risk data worth millions and billions of rupees.
Data Protection
Breach or no breach, the need for Personal Data Protection Bill (PDPB) has once again risen. Civil society has time and again highlighted the importance of a concrete law that prioritises protection of people’s data over its control at the hands of the authorities. Despite constant reminders, the draft bill that is in the works since 2017 has not been passed. In the absence of a data protection law, the data of over 220 million Pakistanis is constantly at risk of being breached and misused.
