The National Cyber Emergency Response Team (National CERT) of Pakistan has issued a cybersecurity advisory to all individuals, public and private organizations handling Personally Identifiable Information (PII) of Pakistani citizens.
The advisory mandates immediate and strategic data protection actions in response to an alarming rise in data breaches, identity theft, and privacy violations across key sectors. This advisory applies to all entities that collect, store, process, or transmit Personally Identifiable Information (PII) of Pakistani citizens, regardless of the nature, size, or infrastructure, including on-premises, cloud, and hybrid environments.
The National Cyber Security Policy 2021 recognizes citizen data protection as a matter of national security and public trust. The advisory highlights growing threats posed by weak internal controls, outdated systems, unencrypted data flows, installation of malicious apps, and poor cyber hygiene, all of which make organizations vulnerable to financial fraud, operational disruption, reputational damage, and potential regulatory action under laws such as PECA 2016. Breaches involving CNIC numbers, health records, or financial information not only erode public trust but also increase risks of exploitation by both criminal and hostile entities.
Organizations are urged to take immediate and structured action, including classifying data by sensitivity, applying strict access controls, encrypting PII in storage and transit, and ensuring that all software and systems are kept up to date. Organizations should also adopt a secure development lifecycle, retain PII only as required by law, implement clear breach response protocols, and audit third-party vendors handling personal data. Over the long term, entities are expected to align with regulatory standards, adopt zero-trust principles, ensure disaster recovery readiness, and build a security-aware workforce through regular training and testing.
The National CERT also urges individuals to safeguard their personal data. Citizens are advised to only share CNICs and personal documents when absolutely necessary and to clearly label any copies provided (e.g., “For SIM registration only”). Strong, unique passwords and multi-factor authentication should be enabled on all critical accounts. People should be cautious about oversharing personal details online or with unverified service providers, and should avoid downloading malicious applications from unofficial sources that may leak sensitive data.
The National CERT emphasizes that proactive data protection is not just a compliance requirement but a strategic necessity. It calls on both organizations and individuals to act decisively to secure personal data, preserve national digital infrastructure, and restore confidence in Pakistan’s cyber ecosystem.