A recent Senate committee meeting has brought to light a critical and ongoing data privacy crisis[1] in Pakistan, with lawmakers challenging the Pakistan Telecommunication Authority (PTA) over persistent data breaches.
Personal information belonging to millions of Pakistani citizens, including SIM data, CNICs, travel histories, and records of Hajj applicants, has been compromised and sold on the dark web since 2022. The crisis is fueled by a longstanding policy vacuum, particularly the absence of a robust data protection law, which leaves citizens exposed and undermines national security.
Understanding the Dark Web: The Anatomy of a Threat
The dark web, a hidden segment of the internet, is a bustling black market for stolen personal data. Unlike the surface web, it requires specialized tools like the Tor browser to mask user identities and traffic.
In these illicit marketplaces, databases containing personal identifiers are among the most damaging commodities, enabling identity theft and cybercrime on a massive scale. Experts have indicated that sensitive data like CNICs and SIM numbers are particularly valuable on the dark web.
The portion of the World Wide Web became notorious because it quickly became synonymous with illicit marketplaces, trading drugs, providing weapons, and other illegal goods and services.
A Systemic Failure: The Policy Vacuum in Pakistan
The PTA, despite efforts to block websites selling the stolen data, confirmed the extensive leaks, acknowledging that even the PTA chairman’s own SIM data was compromised. This systemic failure is largely attributed to the delay in finalizing and enacting the Personal Data Protection Bill, 2023. While the bill, modeled on the EU’s GDPR, aims to regulate data handling and mandate breach notifications, it remains pending in Parliament.
The current legal framework, the Prevention of Electronic Crimes Act (PECA), 2016, focuses on punishing cybercrimes rather than proactively protecting privacy. It lacks clear provisions for data privacy rights, corporate accountability for data security, and robust enforcement mechanisms. This legal gap has facilitated the proliferation of data leaks and eroded public confidence in the state’s ability to protect its citizens.
Dark Web Trade: Price of Compromised Data
Information exposed on the dark web is being sold at alarmingly low prices, further exacerbating the risks for affected individuals. According to local media reports, mobile location information is available for as little as Rs500 (~$1.76 USD), with detailed mobile records fetching Rs2,000 (~$7 USD), and international travel details selling for Rs5,000 (~$17.55 USD). Some reports indicate even lower prices, with personal information being sold for as little as Rs. 350.
The low cost of this sensitive data makes it easily accessible to malicious actors looking to exploit it for identity theft, fraud, or other nefarious activities.
Consequences and National Security Risks
The exposure of sensitive data has far-reaching consequences:
- Identity Theft and Fraud: Exposed CNIC and travel data are exploited for fraudulent activities, with data profiles reportedly selling for as little as Rs500. This has resulted in financial losses for individuals and eroded trust in institutions.
- Erosion of Public Trust: The compromised data of federal ministers, senior officials, and ordinary citizens has significantly damaged public trust in state institutions.
- National Security Threats: Senators have warned that compromised data could be weaponized by hostile actors, posing significant geopolitical and national security risks. Cybersecurity experts have labeled the situation a “systemic failure.”
- Economic Impact: Persistent data breaches deter foreign investment and pose economic risks.
The Road to Reform: Action Plan and Challenges
To address the crisis, Pakistan must implement a comprehensive strategy:
- Pass and Enact the Data Protection Bill: Swiftly finalize and pass the 2023 bill in draft[2], ensuring robust protections like 72-hour breach notifications, data localization, and strict penalties.
- Fortify Digital Infrastructure: Establish a high-security national data center with strong encryption and adopt modern security practices like Zero-Trust Architecture (ZTA).
- Strengthen Enforcement: Bolster agencies like the National Cyber Crime Investigation Agency (NCCIA) and Federal Investigation Agency (FIA) with increased resources, advanced training, and international cooperation to investigate breaches and block dark web trade.
- Boost Public Awareness: Launch national education campaigns to inform citizens about data protection and online threats.
- Upgrade Technology: Implement advanced security measures like zero-knowledge encryption and multi-factor authentication across all critical platforms.
Challenges include reliance on foreign servers, resource shortages, and bureaucratic delays. However, experts emphasize that with the necessary political will and strategic investment, Pakistan can mitigate these threats.
Major Data Breaches and Timeline
2017: NADRA Data Compromised
Incident: According to an infographic by the Digital Rights Foundation, the National Database and Registration Authority (NADRA) database was reportedly compromised in 2017, with reports alleging that sensitive data fell into the hands of foreign intelligence agencies.
Context: This was part of a larger pattern of vulnerabilities and scandals at NADRA, including the issuance of thousands of fake CNICs over the years.
2018: Credit and Debit Card Data
Incident: Hackers stole the credit and debit card details of over 19,000 users from around a dozen Pakistani banks. The data was subsequently sold on the “Jokerstash” dark web forum for prices ranging from $100 to $135 per card.
Response: In response, the State Bank of Pakistan (SBP) advised commercial banks to block international transactions for affected customers. The Federal Investigation Agency (FIA) acknowledged the breach and admitted the need for improved security.
April 2020: 115 Million Mobile Users’ Data
Incident: Cybersecurity firm Rewterz discovered a data dump containing the personal information of 115 million Pakistani mobile users for sale on the dark web. The data included full names, addresses, CNIC numbers, tax details, and mobile phone numbers.
Context: The cybercriminal demanded 300 BTC (equivalent to over $2.1 million at the time). The breach was reportedly linked to a leak from telecom provider Mobilink (Jazz) but could have originated from a business partner or government agency.
March 2024: NADRA Leak Affects 2.7 Million Citizens
Incident: A Joint Investigation Team (JIT) confirmed that the personal information of 2.7 million citizens was compromised from NADRA’s database between 2019 and 2023.
Findings: The JIT found that NADRA offices in Karachi, Multan, and Peshawar were involved, with the stolen data reportedly surfacing in Argentina and Romania. Disciplinary action was recommended against officials, and technology upgrades were suggested.
May 2025: Global Breach Impacts Pakistani Users
Incident: Pakistan’s National Cyber Emergency Response Team (N-CERT) issued a warning about a global data breach that exposed the login credentials and passwords of over 180 million internet users worldwide, including a large number in Pakistan.
Details: The leak, believed to have been caused by “infostealer malware,” compromised credentials for services like Google, Microsoft, Apple, Facebook, and various banking and healthcare platforms.
September 2025: Hajj Applicants and Other Data Exposed
Incident: During a Senate committee meeting, lawmakers confirmed that the personal data of approximately 300,000 Hajj applicants, along with CNICs, travel histories, and SIM data, was circulating on the dark web. The PTA chairman acknowledged that even his own SIM data had been compromised since 2022.
Response: The Interior Minister ordered an investigation, and the PTA moved to block over 1,300 websites involved in the illegal trade of citizen data.
The ongoing data breach crisis comes across as a fundamental challenge to national security, economic stability, and public trust.
By finalizing data protection laws, strengthening enforcement, and investing in robust digital infrastructure, Pakistan has the opportunity to transform this crisis into a model for regional data privacy and security.
References
- ^ data privacy crisis (www.techjuice.pk)
- ^ 2023 bill in draft (www.moitt.gov.pk)