Pakistan’s data privacy nightmare is spiraling as Jazz, the country’s largest telecom operator, faces renewed backlash over alleged misuse of user data. This comes just as a major Pakistan Telecommunication Authority (PTA) breach has exposed systemic vulnerabilities at the very institution meant to safeguard citizens’ digital rights.
Dozens of websites are offering sensitive data, including mobile location information, call records, and overseas travel histories. According to BiometricUpdate.com, mobile location data is being sold for 500 Pakistani rupees ($1.76), detailed call records for PKR 2,000 ($7), and travel histories for PKR 5,000 ($17.55).
Only months ago, Pakistan’s National Cyber Emergency Response Team reported that login credentials for over 180 million users had been stolen in a global data leak. Victims included users of social media, government portals, banks, and healthcare systems.
Daraz CFO Calls Out Jazz
Ahmad Hassan, CFO of Daraz took to LinkedIn in the wake of finding out malpractices at Jazz. He accused Jazz of sharing customers’ mobile numbers with insurance companies and commercial enterprises for marketing campaigns.
“I am really shocked that Jazz is sharing our mobile numbers with different commercial enterprises including insurance companies to promote their products. It is really frustrating to receive these unsolicited calls at most inappropriate times. Someone really needs to take a notice of this exploitation & monetization of customer data by the biggest Telcos of Pakistan,” Hassan posted on LinkedIn[1].
His comments echo long-standing frustrations among Jazz users, who frequently complain about spam calls, promotional SMS, and privacy violations.
Jazz’s History of Data Breaches
Jazz has faced multiple major data leaks over the last five years. In 2020, a massive breach exposed details of over 115 million mobile subscribers, including Jazz customers, marking one of the biggest privacy incidents in Pakistan’s history.
In 2022, dark web forums reportedly sold 71 million Jazz records, including names, CNICs, and SIM registration details. While PTA denied an official breach, it admitted there had been “unauthorized access.”
At that time, Jazz clarified their stance on data leaks:
Jazz continues to develop advanced cyber security capabilities to actively protect its networks, products and customer data. There have been no reports of any unwanted activity on our network or breach of subscribers’ data. (1/2)
— Jazz (@jazzpk) January 16, 2022[2]
In 2023, Jazz was fined Rs. 10 million by PTA; not for privacy issues but for overcharging customers. Despite repeated privacy controversies, there has been no regulatory penalty specifically for mishandling or leaking user data.
These incidents have eroded public trust, raising concerns that Pakistan’s largest telecom operator has failed to adopt world-class security practices.
Jazz & Third Party Data Transfer
Jazz’s privacy policy mentions that they might share customer data with third parties for things like billing, customer service, and marketing partnerships. However, they make it clear that when it comes to agreements with digital ad exchanges and ad agencies, they only use anonymized data.
Although Jazz has faced data breaches in the past where hackers sold user data illegally, the company itself doesn’t sell raw customer data to other businesses in Pakistan. At least, that is what the official narrative has been so far.
PTA, Telecos Data Leaks Raises Alarm
In 2025, hackers infiltrated 1,300 government websites, including systems under PTA’s supervision, and exposed sensitive records of senior officials. This incident has shaken confidence in the regulator’s ability to protect critical telecom infrastructure and enforce accountability on operators like Jazz.
The breach has sparked calls for an independent cybersecurity authority with powers to investigate telecom operators and mandate public disclosure of data leaks.
Legal and Regulatory Gaps
Pakistan’s Personal Data Protection Bill (PDPA), which would require breach disclosure within 72 hours, is yet to formalize. As shocking as it is, there is no direct cyber-protection law in Pakistan that safeguards individuals and entities from data leaks and sell-offs.
Without an enacted PDPA, over 80 million Jazz users have no clear legal recourse if their data is leaked, shared, or monetized without consent.
What You Can Do To Avoid Spam Calls
To protect yourself against unsolicited marketing cold calls, here is something you can do:
- Register for the “Do Not Call Register” (DNCR): Send “REG” to 3627 to block marketing calls and SMS from legitimate telemarketing companies. Registration may take up to two business days. To remove your number, send “REMOVE” to 3627.
- File a Complaint with PTA: If unwanted calls persist, file a complaint via the PTA online portal, helpline (0800-55055), or the DIRBS app.
- Report Fraudulent Calls: Report suspected scam calls to the FIA Cyber Crime Wing under PECA via their online complaint system or helpline (111-345-786).
- Contact Jazz Directly: Jazz users can raise concerns through their helpline (111) or email ([email protected][3]). Jazz’s privacy policy states they do not sell personal data, but some service subscriptions imply consent to share data with trusted third parties.
What You Can Do If Your Data is Leaked
In case of data sell-offs on the dark web, you can confirm if you were involved in data breach. Google has started notifying users of their email/password leaks on dark web recently, but if that is not enough, you can use services like HaveIBeenPwned.com to see if your email/phone number has been leaked.
If your data is breached, immediately do the following:
- Change Passwords Immediately: Use strong, unique passwords for every account.
- Enable Two-Factor Authentication (2FA): Adds an extra security layer even if your password is compromised, hackers can’t log in without your second factor.
- Check Account Activity: Look for unauthorized logins or transactions, especially in your bank, email, and social media accounts.
Some more protective measures you can take is to use a VPN while surfing the internet and avoid using public Wi-Fis especially if you have to use bank apps.
If telecos like Jazz, Telenor, Ufone and Zong are involved with data selling which eventually reaches dark web, there is not much anyone can do but to pressurize the authorities for justice. Understand that leaked data and data sell-offs are irreversible on a larger scale. It is better to focus on damage control. Stay alert for phishing calls, scams, or fake loan offers targeting you after a leak, and do all protective steps.
PTA has denied of any large data breaches of telecommunication sector, while Jazz has not issued any public statement about the accusations.
References
- ^ posted on LinkedIn (www.linkedin.com)
- ^ January 16, 2022 (twitter.com)
- ^ [email protected] (www.techjuice.pk)