Senate panel startled by data leaks, ID theft

A parliamentary panel on Tuesday unanimously approved amendments to the Prevention of Electronic Crimes Act (PECA) based on proposals submitted by the Pakistan Telecommunication Authority (PTA) and the National Cyber Crime Investigation Agency (NCCIA).

The Senate Standing Committee on Interior meeting also saw startling disclosures about identity theft, data leaks and weaknesses in Pakistan's passport and registration systems.

The committee, which met under the chairmanship of Senator Faisal Saleem, was told that a fraudster had travelled to India in 2023 by misusing the identity and passport details of a Pakistani lawyer.

Raising the issue, Senator Afnanullah Khan informed the committee that a consultant associated with the Attorney General's Office had his identity misused, with a forged passport allegedly enabling a fraudster to travel to India.

"The affected lawyer is present here; you may ask him," the senator said.

The victim told the committee that an unknown individual had used his identity and passport details to travel to India, adding that the incident caused him serious hardship.

He said he was forced to take his parents to the National Database and Registration Authority to prove his Pakistani citizenship.

He further told the committee that he holds dual nationality, uses a British passport for travel, and has been waiting for over a year to meet the director general of passports.

The director general of passports told the committee that NADRA had shared multiple cases of identity fraud with his department. He said a dedicated dashboard had now been developed to help detect and prevent fraudulent travel.

Senator Palwasha Khan questioned how identity data was stolen from NADRA and asked how such data breaches were occurring. Responding, the DG passports said citizens often share passport and CNIC details on WhatsApp, which could be a source of data leakage.

Senator Talha Mahmood alleged that NADRA had issued identity cards to Afghan nationals and terrorists. The DG passports acknowledged that the cited case dated back to 2023 but said both NADRA and the passport department had since introduced reforms and technological improvements.

Senator Afnanullah Khan further claimed that data belonging to NADRA, banks and the Federal Board of Revenue (FBR) was available on the dark web, asserting that personal data of any citizen could be purchased for Rs500. He stressed that such large-scale data theft was impossible without insider involvement.

He alleged that sensitive personal data of Pakistani citizens, including consolidated records from state institutions, was openly available for sale on the dark web, pointing to possible insider involvement.

Raising the issue, the PML-N senator told the committee that the stolen data appeared to be recent, highly organised, and far too comprehensive to have been accessed without internal collusion.

"All of Pakistani nationals' data is on the dark web. And it is the latest data," the senator said, adding that the information was so refined that "we might not have such well-processed data" ourselves.

He claimed that individual records could be obtained for as little as Rs500, while data covering the entire population was being offered for Rs70–80 billion. "Data worth Rs70-80bn is [available] on the dark web," he said.

Senator Afnanullah cautioned that stolen data could be exploited for multiple criminal purposes, including the issuance of fraudulent passports and identity cards. Questioning repeated breaches, he said: "Why is Pakistanis' data stolen time and again?"

'Internal collusion'

Addressing Immigration & Passports Director General Mustafa Jamal Qazi, the senator asserted that theft on such a scale was impossible without internal assistance. "Without the [involvement of] people inside the organisation, data theft at such a large scale is not possible. It is impossible. The data of 240 million people cannot be stolen just like that."

The committee chairperson and PTI Senator Faisal Saleem Rahman asked whether any formal investigation had been conducted.

DG Qazi responded that an inquiry had taken place and that officials had been removed as a result.

Senator Rahman also stressed the importance of safeguarding sensitive data held by law enforcement agencies, asking who would be held responsible if such information were compromised.

Social media regulation debated

Minister of State for Interior Talal Chaudhry informed the committee that the government was in the process of establishing a dedicated cyber security authority. He suggested that Senator Afnanullah Khan be formally briefed by NADRA on the issue.

The meeting also saw committee members express displeasure over the absence of the inspector general of police Sindh. The chair questioned why the IG was not present and why the committee had not been informed.

Committee member Saifullah Abro stressed the need to curb the monopoly of police powers, questioning police accountability in incidents such as the Gul Plaza fire.

He asked where the police were when a station house officer was shot dead in Sindh and whether the police's role had been reduced to harassing parliamentarians.

He urged the committee to legislate mechanisms to hold police officers accountable.

Senator Anusha Rehman raised concerns about the lack of clear procedures for removing objectionable content from social media platforms. She asked what action would be taken if platforms failed to comply with requests from the PTA or NCCIA.

The director general NCCIA told the committee that the agency had already approached social media platforms seeking cooperation.

Minister of State Talal Chaudhry said that laws governing social media fell under the mandate of relevant ministries, adding that while terrorists once relied on firearms, they now used social media to exert influence.

He stressed the need to legally bind social media platforms and service providers.