• NADRA, PTA spokespersons reject claims against their respective departments as data leak makes headlines

In a massive breach of privacy, personal and sensitive data of millions — if not hundreds of millions of Pakistanis — has been leaked over the internet as blame game continues between the authorities concerned with none of them willing to take the fall for the divulgence.

According to the details, multiple smartphone applications and websites, one of which is Sim Database Online, are hosting millions of Pakistani telecom users’ sensitive data such as their Computerised National Identity Card (CNIC) numbers, names and even residential addresses, all of which can be accessed by simply entering the victim’s mobile number.

RELATED STORIES

Not only does the web-based application further goes on to reveal other mobile numbers registered in the name of the privacy breach victim, but also claims to be providing services such as mobile phone tracking.

A screen grab of ‘Sim Database Online’

“Such applications have been around for quite some time now and most probably are the reason behind the recent spike in number of identity theft incidents in Pakistan,” sources told The Current, adding that leaks of government-held databases remain the biggest contributor to identity theft-related crimes in the country, around 50,000 of which were reported in 2019 alone.

Some groups on Facebook are also offering information regarding driving licences, current location, call details and even criminal records associated with any CNIC numbers if you pay them, sources claimed. “You can even dig out the National Database and Registration Authority (NADRA) family trees associated with a CNIC for a few hundred rupees.”

They went on to claim it wasn’t just Pakistanis’ confidential data that was being hosted by such web applications. “Sensitive personal information of Afghans and Indians can also easily be accessed through these websites, but there appears to be no urgency among authorities of the three countries to protect their citizens,” they claimed.

When asked if NADRA or the Pakistan Telecommunication Authority (PTA) were to be held responsible for the leak, they blamed the latter, saying the watchdog had failed to keep an eye on what the country’s telecommunication companies were doing with sensitive data of their customers.

“How else do you the inboxes of so many people get flooded with text advertisements?” sources questioned, alleging that a data archive of registered telecom users was leaked online in August 2017.

“The archive contains information about registered mobiles users of Pakistan categorised by their telecom companies. It is publicly available and contains personal information recorded to verify SIM cards. Despite the leaked information being brought to light by many, the data remains available.”

Speaking to The Current, an information technology (IT) expert said that e-governance came with a set of standards across the world. “If you give access to someone, you have to follow these standards and maintain a certain security level. But unlike the rest of the world… where they have emergency response teams to investigate such issues, Pakistan has had no such probes I know of.”

“Instead of having teams that react to such incidents, we need certain proactive measures,” the IT expert said, adding that privacy over the internet was a right of the users, and most identity theft-related crimes could be linked to data leaks associated with government bodies over the years.

NADRA & PTA:

When approached, NADRA spokesperson Faik Ali told The Current that there was no truth to the claims being made regarding the role of the authority in the data leak as it very carefully managed the sensitive registration database of all citizens.

“NADRA has nothing to do with it,” he said and also rubbished claims regarding a data breach from two years ago.

“We had in 2018 also denied accusations of leakage of voters’ data ahead of the general election,” he said, adding that it was also clarified by the authority in a letter to the Election Commission of Pakistan (ECP). “There has never been a data breach in the history of NADRA and we have never shared any citizen’s data with anyone.”

Faik also reiterated NADRA’s commitment to protect sensitive data of all citizens come what may.

PTA Public Relations Director Khurram Mehran, on the other hand, rejected all claims regarding the watchdog’s alleged inability to protect the data of telecom networks’ customers, saying that no telecommunication companies were involved in releasing confidential information of their customers.

He, however, said that action would be taken against any company if evidence to support such claims is there.

ADVERTISEMENT

To a query, the PTA spokesperson further said if there were any such cases, they were to be dealt under the Prevention of Electronic Crimes Act (PECA) provisions by the agency concerned, as they were cybercrime cases.

Repeated attempts were made to contact the chairperson of Senate Standing Committee on IT and Telecommunication, Rubina Khalid, but she was unavailable.