ore than 180 million Pakistanis have had their internet user credentials exposed in a shocking global data breach, exposing serious vulnerabilities and systemic gaps in the country’s cyber security, law enforcement and legal frameworks.

A recent article in the National Cyber Emergency Response Team of Pakistan (PKCERT) reports that login credentials of over 180 million Pakistani internet users have been exposed in a massive global data breach. This data security incident is a stark reminder of the ever-rising cyber vulnerability individuals, businesses and institutions face. It points to a deeper systemic issue in Pakistan’s cyber security and investigative apparatus.

The PKCERT stated that the compromised data includes user names, passwords, emails and URLs related to services used worldwide. These range from major global technology giants like Google, Apple, Microsoft, Facebook, Instagram and Snapchat to government portals, banks, educational institutions and healthcare service providers. The breach stemmed from info-stealer malware, that silently ex-filtrates sensitive data from infected systems and relays it to the attackers. The leaked data was left unencrypted and universally accessible. Some of it may prove a goldmine for criminal hackers.

The incident has put millions of Pakistani internet users at risk of identity theft, financial fraud, account takeovers and phishing attacks. Many people re-use a password. This makes them more vulnerable as anyone with access to a leaked password can then access other login information for numerous platforms. The data is now widely available. This is driving up the pace of “credential stuffing” attacks, a type of automated hacking to test stolen credentials on as many websites as possible to see whether they work to sneak into accounts.

Data breaches are increasingly occurring on a more serious scale. The 2023 Verizon Data Breach Investigations Report states that more than 80 percent of the breaches occurred because of compromised credentials. According to Trends in Cyber Breaches Globally, the global situation is similar to that in Pakistan. However, Pakistan is more vulnerable on account of limited cyber security infrastructure and public awareness.

Between 2019 and 2023, more than 2.7 million citizens’ records from the National Database and Registration Authority were breached. When a joint investigation team uncovered a NADRA leak, they discovered that personal information had been gathered from Karachi, Multan and Peshawar.

Since that breach, Pakistan’s digital security has been a big issue on the international stage. Global partners and investors have raised serious questions about the country’s ability to protect sensitive data. International investors routinely track cyber risks as part of due diligence. A poor cyber security record can critically erode the attractiveness of a foreign direct investment destination. The countries deemed to be digitally insecure will inevitably lose out on lucrative international partnerships, technology transfer and all possible participation in the global digital economy. This reputational damage is not easily fixed.

The compromised data includes user names, passwords, emails and URLs related to services used worldwide. These range from major global technology giants like Google, Apple, Microsoft, Facebook, Instagram and Snapchat to government portals, banks, educational institutions and healthcare service providers.

PKCERT has advised the public to change passwords, create stronger passwords and use unique passwords on all platforms. Where possible, it says, multi-factor authentication – requiring additional verification, for example, a code sent to a phone number, biometric or a hardware token – should be used. An additional layer of security significantly reduces the risk of unauthorised access. That said, the cyber security responsibility should not fall solely on individual users. The recent breach of a local news channel’s database illustrates a more serious systemic problem: the profound disconnect between technology that is advancing quickly and the ability of Pakistan’s law enforcement, judiciary and legal practitioners to keep up with it.

A cybercrime investigation requires a blend of technical, legal and forensic skill sets to be effective. Digital forensics, malware analysis and cyber threat intelligence are areas where Pakistan’s investigation officers are often inadequately trained and resource-deficient. Whereas traditional crimes typically cross boundaries slowly, cybercrimes can propagate almost instantly. Lack of technical capability often leads to failed or poor evidence collection, causing low prosecution rates.

The judges presiding over these trials must understand the complex technical evidence and the technical methods used to obtain it. It is critical to understand the validity of digital evidence, the admissibility of expert technical testimony and legal decision making. Lawyers representing people accused of or victims of cybercrimes must likewise be up to date.

Frequently the technological complexity and the legal capacity gap lead to delays in the administration of justice. The criminals seek to exploit these issues in enforcement. This gap requires urgent and enduring reforms in law enforcement, training and judicial education. The legal basis for combating offences like unauthorised access, data breaches, cyber terrorism, online fraud and electronic forgery are mostly covered in the Prevention of Electronic Crimes Act, 2016.

The PECA also covers rules for dgital evidence and procedure. Law enforcement is only beginning to become aware of crimes related to the Act. The law enforcement personnel must periodically share awareness of evolving threats. Meanwhile, cyber crime courts and prosecution units too are still developing.

Cyber crime law is evolving rapidly to resolve data privacy, protection and cross-jurisdiction enforcement issues. The European Union’s General Data Protection Regulation has laid down strict rules for data breach notifications. These models can be learnt and replicated in Pakistan, too. The lawmakers and regulators must enforce robust data protection standards by mandating encryption of sensitive data and by enforcing timely breach disclosures. Academic institutions can play an important role in this regard in collaboration with technology developers, law enforcement and legal experts. Some Pakistani universities are already training professionals capable of dealing with cyber threats.

However, while the demand for cyber law professionals continues to build, the supply has been limited. The universities and research institutions should also emphasise applied research, cross-training and partnership with law enforcement. International research publications like the Journal of Cyber-security and Digital Forensics and policy papers from the International Telecommunication Union have been emphasising the need for an integrated approach.

Cyber literacy should also be extended beyond universities to including schools and workplaces. Supporting a cyber-security culture at the national level is essential to building digital resilience.

The author is a researcher, writer and analyst in field of cyber security. He has an MPhil in cyber crime and is currently pursuing a PhD in computer science