The Federal Tax Ombudsman (FTO) has warned the Federal Board of Revenue (FBR) that its entire IT system has collapsed and is allegedly under the complete control of cybercriminals.
This was stated by the FTO in an order issued on Friday.
The FTO order revealed serious security vulnerabilities, making the system susceptible to data manipulation, backdoor entries, and unauthorized transactions. It appears that the entire IT system has collapsed and is under the control of cybercriminals, who can operate without leaving any trail or risk of being caught.
These are extremely serious issues that must be addressed immediately to ensure the survival of the FBR’s IT infrastructure.
The FTO order disclosed that, despite extraordinary efforts to apprehend the real culprits involved in the repeated change of the complainant’s ID password every month, the misuse of the complainant’s ID password has not stopped, with the latest incident occurring in the tax period of July 2025.
Therefore, the involvement of insiders with direct access to the system, especially from PRAL, cannot be ruled out. The repeated hacking of the same taxpayer’s password also reflects poorly on the quality of security and the sanctity of the data and the entire IT system.
Critical system weaknesses include compromised data integrity, inadequate data security, weak internal controls, and insufficient safeguards against tax fraud. Inadequate system controls have allowed data manipulation, a lack of system alerts for unusual activity, inadequate HS code matching between input and output tax, poor quantitative reconciliation, and unauthorized changes in taxpayers’ profiles to facilitate the creation of fake transactions.
Additionally, there is evidence of potential collusion between taxpayers and FBR/PRAL employees to exploit these system vulnerabilities.
The FBR will direct the Chief Commissioners-IR at RTO Lahore, CTO Lahore, RTO Gujranwala, RTO-I Karachi, RTO-II Karachi, RTO Peshawar, RTO Multan, CTO Islamabad, RTO Islamabad, RTO Quetta, and RTO Sialkot to ensure legal proceedings for conviction against the beneficiaries of tax fraud.
This is in compliance with the Board’s instructions dated 07.09.2023 in Sales Tax General Order No.12 of 2023, “Standard Operating Procedure (SOPs) to deal with cases involving flying and fake invoices,” and to identify other beneficiaries down the supply chain, immediately sharing their details with relevant jurisdictions for legal action as per the Board’s instructions.
The Member Ops-IR is to issue an explanation call to the concerned Commissioners-IR of RTO Lahore, RTO Gujranwala, RTO-I Karachi, RTO-II Karachi, RTO Peshawar, RTO Multan, and CTO Islamabad for not taking appropriate legal action in compliance with Sales Tax General Order No.12 of 2023, despite intimation from this forum.
The Director General I & I-IR is to intensify efforts to apprehend the masterminds, Shiraz Ahmed and Mr. Niaz Ahmed, as already identified and pointed out in their report dated 22.08.2025, and other cybercriminals, including individuals from PRAL (if any), as discussed in paragraphs 12 and 13, for conviction under the law.
The CCIR, LTO Karachi, in coordination with the Director General I & I-IR and DG IT, is to take immediate and appropriate action to stop the continuous hacking of the complainant’s ID passwords every month, so that the complainant may resume business as normal.
The FBR is to furnish a comprehensive report to this forum within 60 days, the FTO order added.