Friday March 24, 2023

Nadra’s data breach a national security threat

November 29, 2021

That Nadra’s data has been compromised is a very serious issue in the digitalised world we live and breathe in. The fake sims issued on biometric verification are symptoms of a greater challenge: the threat of malicious actors of dark web content acting as ransomware mafia, hackers, extortionists and national security violators.

Nadra's data compromise statement came after an FIA officer stirred alarm among the members of National Assembly’s Standing Committee on IT who posed various questions to him regarding the theft of Nadra's data.

At this, the FIA’s additional director altered his statement saying Nadra’s data had not been hacked, but its biometric system compromised and used during the sim verification process.

He also told the committee members that whenever they traced a suspect involved in financial frauds, the suspect usually turned out to be an elderly man or a woman whose data was being used by someone else.

Nadra refuted the claim of FIA official. In a statement issued after the committee meeting, Nadra’s spokesman said the public biometric data was completely safe and had not been hacked. However, it is suspected that an employee of Nadra may have sold data on the dark web.

The dark web is part of the deep web which cannot be accessed by normal surfing but needs a VPN and other apps to surf. It is a different cyber world where things can go nasty. For example, fake IDs are sold; money-laundering is explained; pedophilia is worse; you can hire a hitman for 10 dollars to eliminate any person who is above 16 and is not a politician or not a famous personality as per the rule; drug trafficking is just like the stuff from online stores to be delivered through doorsteps; arms and weapons are available to be sold and delivered; terrorism manuals, tutorials, and unmentionable things are also up for grab.

The dark web in Pakistan is not properly regulated and can be easily accessed. By using a simple VPN, one can get to this nasty world. A little search on the net will tell a surfer how to get to this dark world.

The law is simply vague and browsing is still legal. Though some sites are banned in Pakistan, accessing through a change of IP address is simple. The dark web is increasingly watched by states all over the world, yet we have not developed such capability to monitor surfing from Pakistan. A cyber security agency estimated that 115 million Pakistanis’ data, including pictures, ID cards, were up for sale on the dark web. Even some journalists use the dark web to hide/store sensitive information which is later traded for monetary compensation.

Another example of cybercriminals who sell personal information on the dark web – or misuse it – is hoax callers. Having access to phone numbers, hoax callers – dressed as bank operatives – dupe citizens, obtain their personal information and get money from their accounts.

Several hackers have been even punished. Some of the investigations reveal that most fake calls were made from a few districts of Punjab, including Gujranwala, Hafizabad and Rahimyar Khan.

The dark web is thriving in Pakistan with criminals forming nexus with govt employees, cellular phone agencies and bank employees.

If Nadra's data is sold on the dark web by an employee, it should be a wake-up call for all state institutions dealing with sophisticated net data and operations. Recently, FBR was hacked and there was also a report of selling some data on the web and the government was forced to pay compensation as ransomware.

The dark web content platforms have attracted several hackers in India who sell their services online and charge a fee for hacking WhatsApp, FB pages, bank accounts and IDs for interested private clients, both individual and vested groups.

They offer services like location tracing, cloud data extraction, blackmailing know-how, hacking in public records, unnoticeable social media monitoring, manipulating credit scores, retrieving troves of sophisticated documents and so on.

Many of these hackers work for Indian establishment with focus on Pakistani security institutions for cyber espionage. The Indian cyberspace is a booming market for ransomware, dark propaganda, illicit and unmentionable activities. What is alarming is that compromise of Nadra's sim detection technology is not just a criminal act or breach of our privacy but it poses a threat to national security. Terrorists can easily use these sim cards and coordinate attacks. Our security institutions must be alarmed at this breach.

It needs a thorough investigation and a mechanism as to how Nadra's data can be protected and prevented from falling into the hands of dark web operators/connectors and potential terrorists.

Jan Achakzai is a geopolitical analyst, a politician from Balochistan and an ex-adviser to the Balochistan Government on media and strategic communication. He remained associated with BBC World Service. He is also Chairman of the Institute of New Horizons (INH) & Balochistan. He tweets @Jan_Achakzai