The Federal Board of Revenue (FBR) has formally rejected multiple reports suggesting it was the target of a major cyberattack. The authority issued a statement stating that “no data breach or takeover has occurred,” insisting that published claims alleging widespread system compromise are incorrect.
The controversy erupted after unspecified media outlets cited an investigation by the Federal Tax Ombudsman (FTO), which reportedly warned of serious vulnerabilities within the FBR’s IT infrastructure. One publication claimed cybercriminals had gained control of taxpayer records and manipulated transaction data. In response, the FBR reaffirmed its denial and stated that its systems remain secure and operational.
Despite the denial, the FTO’s published findings appear to highlight significant concerns. According to the ombudsman’s office, hackers may have exploited weak passwords, insider access, and outdated infrastructure to infiltrate the FBR’s Large Taxpayers Office and Corporate Tax Office systems. If accurate, these vulnerabilities could provide attackers with the ability to alter and exfiltrate sensitive tax data records.
Observers say the incident, whether a full-scale cyber incursion or not, draws attention to Pakistan’s wider public sector cybersecurity gaps. Reports dating to 2021 flagged FBR’s use of aging servers, legacy software and unpatched systems as major risks. The state’s revenue collection mechanisms rely heavily on digital systems, making them high-value targets for espionage, fraud and disruption. Analysts argue that irrespective of this particular claim, the FBR must upgrade its governance around IT and data protection.
From a regulatory standpoint, the episode arrives at a sensitive moment. Tax collection, data integrity and public trust are all intertwined with Pakistan’s broader digital economy goals. A genuine breach or sustained perception of vulnerability could undermine investor confidence and hamper reform efforts under the “Digital Pakistan” agenda.
For now, the authorities appear to be playing a defensive posture. The FBR’s official bulletin refers to the published cyberattack story as “highly misleading” and claims that all relevant systems remain intact. It did not however detail the specific audit or forensic activities underway to validate its position.