NADRA data leak
The personal data of millions of Pakistanis may have been compromised due to security weaknesses at NADRA. A top FIA official told the National Assembly’s Standing Committee on Information Technology and Telecommunication that the national database’s biometric records had been hacked. The revelation comes less than three months after the launch of NADRA’s much-touted biometric verification cell phone app, though it has not been confirmed if the compromised data was stolen using weaknesses in the app or elsewhere in Nadra’s network. But it is also barely 18 months since the government claimed that the data of 115 million Pakistanis floating on the darknet was not stolen from NADRA, even though it is one of the few bodies that have such extensive records.
FIA Cybercrime Wing Additional Director Tariq Pervez later clarified that only NADRA’s biometric system — used for SIM verification, among other things — has been “compromised”, not its entire data record. Still, in a country like Pakistan, where fingerprint details are required to get several essential services, biometric data alone can provide criminals and other bad actors with opportunities to wreak havoc. Indeed, the FIA has already seized 13,000 “fake” SIMs, referring to SIMs acquired through identity fraud, likely using the compromised biometric data.
The PTA separately said over 26,000 “fake” SIMs were found in October alone, and that about half a million SIMs have been blocked for malpractices in issuance, and two cellular operators have been fined Rs100 million and Rs50 million, apparently for some degree of involvement in issuing the “fake” SIMs. But while the PTA claims that illegal issuance of SIMs is down 600% over the past year, the FIA cybercrime wing had said it had received some 89,000 complaints, which its 162 investigation officers cannot feasibly process in a timely manner.
The government’s lack of concern over the data leaks is also highly concerning. Across the democratic world, securing citizens’ personal information is of paramount importance, and breaches are considered serious offences for which heads roll. But not here. Here, we only learn our data has been compromised as an afterthought during a regularly scheduled NA panel meeting.
Published in The Express Tribune, November 27th, 2021.
Like Opinion & Editorial on Facebook, follow @ETOpEd on Twitter to receive all updates on all our daily pieces.