Ali Malik

Ali Malik

Biggest Data Breaches In History of Pakistan

Pakistan has suffered numerous data breaches in recent years, which point to the need for the country to rethink its cyber security strategy. Pakistan should place the development of robust data protection and cyber crime laws at the center of a broader cyber security strategy that brings citizens’ rights to the forefront.

Privacy is a multifaceted issue, now being considered from a number of different perspectives. The co-evolution of information and communication technologies with privacy concerns has led to the development of national identity cards schemes such as NADRA and India’s Aadhar Card, which are used in many countries around the world. These databases can hold large amounts of personal information, including sensitive data on ethnicities and religions.

Due to the integration of their centralised database with vulnerable e-government mobile apps and other public bodies, data leaks from NADRA have experienced a considerable increase. Yet, the state has failed to legislate on the issue of personal data protection and has generally excluded it from the cyber security legal landscape.

In 2018, the Punjab Information Technology Board (PITB) was accused of a data leak that compromised personal data of millions of citizens, leading to an alarming increase in identity-theft crimes. The board failed to inform the affected individuals of the breach and did not take any action to ‘de-identify’ them by allotting them new CNIC numbers or cards.

Despite the provisions contained in the NADRA Ordinance on “ensuring security, secrecy and necessary safeguards for protection and confidentiality of data … at individual as well as collective level” and criminal penalties for “breaching the security or secrecy of data”, no efforts were made by the NADRA to stop the dissemination of stolen data or file any complaint against perpetrators. This leaves victims without any protection at all.

The Punjab Safe Cities Authority (PSCA) is a state-led initiative that uses modern technology to monitor the movements of citizens, including those who reside in private vehicles. Recently, images of couples in their personal vehicles were leaked online, identifying them and their vehicles through their registration numbers. Despite this breach of privacy, no action was taken by the PSCA to ensure that this does not happen again. The victims did not initiate any action against them either as the damage was already done. Besides, victims hardly ever initiate proceedings against authorities for breach of privacy, particularly due to the absence of clear laws and limited awareness around them and the view the general populace holds of judicial processes.”

The Prevention of Electronic Crimes Act 2016 (PECA) outlines regulations pertaining to identity theft activities. Although not defined under PECA, a generally accepted definition of identity theft entails criminal acts where the perpetrator misappropriates and uses another person’s identity or parts of their identity to create a synthetic identity to commit further crimes.

The Personal Data Protection Bill, which will be drafted by the Ministry of Information Technology and has been approved by parliament, is a welcome step toward protecting personal information. However, it does not address the main issue of safeguarding personal data from breaches by public bodies, including the National Database and Registration Authority.