close
Thursday March 28, 2024

Tension within SECP escalates as it tries to downplay data breach

By Umar Cheema
August 24, 2022

ISLAMABAD: Sensitive data of the Securities and Exchange Commission of Pakistan (SECP) has allegedly been stolen which has resulted in a tug of war between the chairman and the relevant commissioner. The latter claims she was kept in dark about the breach. The commissioner has now written to the finance minister for independent inquiry into the matter.

The SECP regulates the corporate sector and is custodian of public and private information of the directors and financials of companies registered in Pakistan. The leaked database included private information like the chief executive officers of the companies, their identity cards, email addresses, residential addresses and other details including financial information.

When did this breach occur? It remained undiscovered by the concerned head of information security, Mubashir Sadozai. The SECP came to know only when a news website alerted the regulator by sending queries on July 27. Nothing significant was done other than issuing a statement that the matter had been fixed.

The relevant commissioner, Sadia Khan, claims she was not informed. She would only come to know three weeks later when a citizen, Zaki Khalid, who works on open-source intelligence, brought this matter to the attention of the government through the Prime Minister portal. A hacker from Estonia has claimed the responsibility of stealing the data. This coincides with an ongoing training on cyber security of SECP officials being conducted by Estonian trainers. The SECP said there was no correlation between the two.

Upset at this breach, Sadia Khan, not only lodged a protest within the SECP, she has written a letter to Finance Minister Miftah Ismail. “It is with a sense of deep concern that I am writing to you to inform you about a serious case of data leakage… I was informed about the incident in the afternoon of August 18, 2022, through a junior officer… even though the leakage of data took place on July 27, 2022… I requested a Commission meeting which though convened [it] was cancelled at the request of the Chairman.”

If the information being conveyed, she writes further, about the extent of the data leakage is correct, “the damage done from this incident is unprecedented.” She has demanded an independent investigation of the incident before the damage is irreversible, both in terms of the sanctity of the data entrusted to us as well as the reputation of the Commission, reads her letter. At present, there are only two commissioners, Chairman Amir Khan and Sadia Khan. Three seats are lying vacant.

Amir Khan was appointed chairman by the PTI government in 2019. Sources within SECP claim Mubashir Sadozai, the current head of information security, doesn’t have requisite IT qualification and was given this charge thanks to his closeness with the chairman. Chairman Amir Khan, however. replied that the said IT person is acting in charge only and was given this charge after the incumbent resigned a year ago. Amir Khan said the acting charge is given to someone who has the most relevant background from existing pool within the SECP as said person looks after e-services also. “I didn’t know the said gentlemen until three years ago”, Amir said, refuting the allegation of any personal bias. The chairman also added, “I was informed of the breach on the 18th of August, which is 10-12 working days after it took place. This is unfortunate. The same day, however, Sadia Khan who is also head of the information security, secretary finance and policy board chairman were informed. Same day press release was issued.” However, The News understands through documentary evidence that the matter had been brought to the attention of the Chairman Secretariat on July 27 through Musarrat Jabeen, Executive Director of Chairman Secretariat. The chairman may not have been informed.

Sadozai is not only the head of information security; he holds several other charges. He is registrar of companies as well as the head of administration, finance and compliance departments. Neither any inquiry has been ordered against him or any other official.

The SECP chairman also added that full time IT head will be joining soon as a year long search involving several advertisements and been completed. On the latest leak, the SECP has downplayed the significance. “Please note that all of the data so accessed unauthorisedly is public data and otherwise available on payment of fee. However we are also in process of hiring private investigators to a certain the level of breach and recommend actions to prevent such a thing in future.”

The SECP response against this serious breach is in contrast with the action it took after a story by Ahmed Noorani about the family of Lt Gen Asim Saleem Bajwa reported dozens of the family’s companies registered with the SECP. Arsalan Zafar Hijazi, a deputy director, was suspended on the suspicion of sharing the information about Bajwa’s companies notwithstanding the fact it was otherwise public information. The charges were framed and show cause served within two weeks.

Asked whether Sadia Khan protested on being kept uninformed, the SECP spokesperson said she might directly be contacted for her view. She was not available for comments; however, another SECP official said that Sadia refused to concur with the response prepared on her behalf for sharing with The News. Responding to the question of why an incident report was generated three weeks later when the matter was first brought to the Commission notice on July 27, the spokesperson said the Commission was not then clear if any publicly available data had been scrapped from the SECP website.

Previous government’s failure to fill key positions has been continued by current government also. It continues to impact the SECP negatively as it ads to inefficiency, confusing overlapping roles, and politicising within the critical functions of the regulator.