Reports of Telecom Data for Sale; Companies Deny Any Breach

January 22, 2022 – On January 15, news started circulating on Twitter about Telenor and Jazz databases getting hacked. A user, Zaki Khalid, tweeted that the database that is up for sale in a Telegram group, contains a private database of Telenor which includes the personal information of 67.48 million subscribers, including their names, phone numbers, CNICs, and postal addresses. The hacker had allegedly put the data up for sale in exchange for cryptocurrency equivalent to US $250. The size of eleven leaked files consisting of Telenor data is estimated to be 14.3 GB. 


Another account, OSINT Insider, shared that the database also includes records of 71 million subscribers of Jazz.


In a later update, Khalid said that the hacker, who previously claimed to have accessed Telenor and Jazz’s databases, now has illegally retrieved data of all telecommunication companies in Pakistan, and has access to sensitive data of 500 million users, of which most of them have subscribed to Jazz and Telenor’s services. According to Khalid, the hacker has claimed in the Telegram chat where he is allegedly selling this data, that the records are updated till March 2020 and is selling it at a price of US $2000. 


Response of Telecom Companies


While most of the telecom companies have continued to remain silent on the news, Telenor Pakistan’s official account has denied reports of the data breach via multiple Twitter replies, and revealed that the initial investigation conducted by the company has confirmed that the data of their users is safe and has not been compromised. The tweet stated that further investigations on the issue are ongoing. 


Responding to another tweet, Jazz also denied the reports of their data being compromised. 


Both Telenor and Jazz are amongst the leading players in the telecommunication industry in Pakistan. Claims regarding the establishment of appropriate and comprehensive cybersecurity systems by the two companies have been made through their tweets, and users have been ensured that their data is safe and secure.


Hija Kamran, the Digital Rights Lead at Media Matters for Democracy which runs Digital Rights Monitor, and a privacy advocate, says, “It is imperative to understand that data breaches and hacks are not the only way personal and sensitive data can be leaked. In fact, unauthorised access is a concern that needs to be considered as well. While the servers may not have been breached, a person with access to the server or database could have copied and leaked this data.” She adds, “Technically, the servers were not breached, and the investigation of the telecom companies would also reveal that no hack took place. But we have seen multiple times in the past that the weakest link in data protection is a human themselves.” 


Occurrences of data breaches and unauthorised access to servers are very common in Pakistan. Even for Telenor, this is not the first reported incident of potential database compromise in Pakistan, in fact, it experienced a cyberattack in 2017 as well where some employees noticed abnormal activity on their work computers, but the telecom company formally dismissed news of such sort. In 2019, a website was found to have been hosting NADRA databases of citizens, with accuracy of 9 out of 10 people’s information. The database was outdated for many individuals whose information was run to check the authenticity of the data. It was later revealed that while no servers were hacked to acquire this particular set of data, an unauthorised person had gained access to the citizenship database who later dumped it on the website for anyone to access. The website was later blocked by the PTA. More recently, in November 2021, the Federal Investigation Agency (FIA) had informed the National Assembly Committee on IT that NADRA’s database was hacked, a report that was denied by NADRA and a comment that was also refuted by the FIA in a statement. A few months prior to this news, in August 2021, the online database of the Federal Board of Revenue (FBR) that stores sensitive financial and tax information on citizens and businesses in the country, was also illegally accessed by hackers, putting at risk data worth millions and billions of rupees. 


Data Protection

Breach or no breach, the need for Personal Data Protection Bill (PDPB) has once again risen. Civil society has time and again highlighted the importance of a concrete law that prioritises protection of people’s data over its control at the hands of the authorities. Despite constant reminders, the draft bill that is in the works since 2017 has not been passed. In the absence of a data protection law, the data of over 220 million Pakistanis is constantly at risk of being breached and misused.

Mishaal is a Project Coordinator at Media Matters for Democracy. She is a Public Policy graduate with past experience as content strategist and research writer. Her main areas of interest are political science, world history, and public policy.

No comments

Sorry, the comment form is closed at this time.