Investigation confirms theft of 2.7M digital ID records in Pakistan

The National Database and Registration Authority (NADRA), which protects millions of Pakistanis’ personal information, is under scrutiny following the exposure of a large data breach. The National Assembly’s Standing Committee on Interior has been informed that over four years (2019-2023), data for 2.7 million Pakistanis had been stolen, prompting dismissals of implicated NADRA officials. Reports indicate that at least some of the data was sold internationally. The incident has sparked major concerns about privacy and national security, as sensitive information such as names and addresses was exposed. While NADRA has removed the personnel involved, the incident exposes flaws in the authority’s cybersecurity architecture and emphasizes the urgent need for comprehensive reforms to prevent data breaches.

Insider involvement and global data exploitation

The stolen data included names, addresses, and other important personal data belonging to 2.7 million Pakistanis. The data allegedly made its way to the dark web and was sold in Argentina and Romania. The interruption has raised serious questions about NADRA’s ability to protect its data and ensure its cybersecurity integrity.

Investigations disclosed that the theft was captured at NADRA offices in Karachi, Multan, and Peshawar, with evidence of insider involvement. Authorities recommended action against the senior NADRA officials whose negligence led to this massive data theft. The stolen data was allegedly moved from Multan to Peshawar before reaching Dubai. A joint investigation team (JIT) formed by the Federal Investigation Agency (FIA) determined that senior officials’ negligence permitted the data theft, which was transmitted through a series of sites before being sold abroad.

In response, NADRA terminated a Grade 19 officer and five other accused employees, but concerns about internal accountability remain. During a National Assembly committee meeting, difficulties in NADRA’s operational capacity were identified, including a limited budget and a lack of local offices in several regions. The chairman of NADRA informed the NA committee of budget constraints, stating that 87 percent of our budget, which stands at 57 billion rupees (US$200 million), goes to salaries and that NADRA has about 240 operational vans, with plans to procure 90 more. Critics pointed out that systemic faults and lack of oversight created vulnerabilities that were exploited by malicious actors. This massive data breach highlights the urgent need for cybersecurity reforms and robust security to prevent future attacks on Pakistan’s sensitive public databases.

Broader implications and risks

The NADRA data breach has significant consequences for national security and citizen privacy. The disclosure of sensitive information places millions of people at risk of identity theft and fraud. Furthermore, reports of fraudulent identity card issuance to Afghan nationals through insider conspiracy undermine the integrity of Pakistan’s digital identity system. During the National Assembly standing committee inquiry about Afghan nationals acquiring fake ID cards, the chairman responded that NADRA had already blocked 150,000 such cards.

Vulnerable communities, such as the Bihari community, continue to struggle with getting formal identification, limiting their access to essential services and opportunities. These challenges show systemic weaknesses in the identity management system, emphasizing the importance of comprehensive reforms to secure data, prevent misuse, and provide equitable access to identity services.

Need for cybersecurity reforms

NADRA manages the civil records of all Pakistani nationals, and such a breach can have far-reaching consequences. The data leakage highlights the critical need for comprehensive cybersecurity reforms to safeguard sensitive national information. Modern encryption techniques must be executed to secure data, guaranteeing that even if a breach occurs, the information remains inaccessible and unusable. Stricter access restrictions are required to prevent unauthorized access, and comprehensive employee training programs should focus on recognizing threats like phishing and social engineering attacks.

The government of Pakistan has to execute preventive policies in cybersecurity infrastructure to combat these scams consistently. Regular audits and strengthened accountability mechanisms are also essential for managing internal threats and cultivating a security culture. Investing in modern cybersecurity infrastructure and training staff for data encryption and safety is critical for protecting citizens’ data and restoring public trust in digital governance.

Article Topics

biometrics  |  cybersecurity  |  data protection  |  digital ID  |  Digital Pakistan  |  identity management  |  NADRA  |  national security  |  Pakistan