By Asra Rizwan on May 7, 2018 – Like us now!
Sensitive information of millions of Pakistani citizens has been compromised in what may be dubbed as the biggest data breach of Pakistan.
In August last year, a local media outlet reported that Punjab Information Technology Board (PITB) has exposed sensitive data of thousands of individuals that comprised of CNICs and scanned copies of personal documents. According to PITB, a bug that attributed to this exposition was taken care of, however, no comments were made on the possession of leaked data.
Nine months later, PITB is yet again in deep waters after it was revealed that sensitive information acquired through various PITB portals is now being sold publicly. This information comprises of personal and family data held by NADRA, criminal records tracked by the Police and call data recorded by telecom companies.
According to the reports and evidence received by TechJuice from two separate entities, the sensitive information compromised include:
- CNIC Information
- SMS & Call Records
- NADRA Family Tree Data
- Criminal Records
- Rent Tentee & Hotel Visitor Information
- SMS Spoofing services
- Offline Databases of Registered Mobile Users
How did it happen?
The breach traces back to when PITB gained access to NADRA’s server after it was allowed to digitize the data of citizens by linking CNIC numbers to various public departments. This data could only be accessed through authorized users, however, it is now being alleged that these officials shared their credentials which were used for extraction and trading of sensitive information of Pakistani citizens.
A sample unprotected API called data from the PITB apps developed and hosted in PITB data center. The call makes it evident that no security authentication was put in place.
Click to View all images in full size.
Desktop applications have also been developed to connect the offline databases and extract data to be sold online.
In addition to this, a data archive of telecom companies is also publicly available that does not only have information about call records but the address and CNIC number of the user registered against the SIM.
How is this data being publicly sold on social media?
As an aftermath of this, data was extracted and is now being sold publicly on Facebook and Whatsapp groups for as low as PKR 100. When TechJuice viewed one of these public groups, we were horrified to see that some of the members were running promotional campaigns for a limited time to share data for free. Complete NADRA family trees were also being sold on these groups.
Click to view full image.
Which applications compromised this data?
One of the portals developed by PITB, Agriloan allowed users to extract a citizen’s data by their CNIC number. Once the number is fed into the system, it gives out the person’s name, picture, date of birth, past and permanent locations.
For another app, Police Toolkit used by Punjab Police, the credentials are being sold and personal information is being leaked such as criminal record, driving license information, FIRs, vehicle ownership and verified SIM.
According to the reports, Pak vs World XI mobile app also fell victim of data breach and gave access to the information of hotel check-ins and criminal records.
What do NADRA and PITB have to say about this breach?
In conversation with a local media outlet, NADRA has revealed that they have been aware of the situation and pinned the responsibility on PITB for the safety of data. A deadline was already declared by NADRA for PITB to resolve this breach. NADRA has frequently mentioned the lack of security measures put in by PITB to protect the data.
The same media outlet also reached out to Dr. Umar Saif, who said that they are actively revoking the access of their portals and applications, while also launching inquiries and action against alleged personnel. He said that all instances have been resolved and they are actively blocking any breach of authorization. However, he did not comment on the absence of security protocols that were not deployed by PITB in the apps and portals under question.
TechJuice has reached out to NADRA for a comment. We also reached out to the InfoSec team who shared the details with us as #PITBLeaks, however, they declined to comment further.
[Update] Chairman PITB, Dr. Umar Saif has recently tweeted on the matter but it seems that PITB is also unaware of the culprits behind this data violation.
Punjab Government will be taking legal action for whoever is responsible for making and propagating false, unfounded and malicious content against government IT systems on whatsapp, facebook and twitter.
6:29 PM – May 7, 2018
Twitter Ads info and privacy
On the other hand, InfoSec Team has also launched a campaign on Twitter;
#NADRA, police, and telecom data of citizens got leaked in the biggest #cybersecurity #breach in the history of #Pakistan. Everything from your address, call records, police records, driving license database, even the hotels u stayed in
Thanks to #PITB & #DrUmarSaif. #PITBLeaks
7:52 AM – May 7, 2018
Twitter Ads info and privacy
How does it impact Pakistani citizens?
The scale of this breach poses dangers for each citizen whose information has been compromised. In the hands of criminals, anti-state actors and terrorists, the nonrenewable information puts the safety of every Pakistani citizens at risk. The question is, how will NADRA and PITB be held accountable for the breach? How will the perpetrators be tracked and brought to justice? Most importantly, how can the leaked information be prevented from usage and modification? While we seek answers to this question, a criminal application has already extracted data from PITB and connected with its other applications available on the PlayStore.