Current Pakistan Security Posture and absence of Data Privacy Protection Regulations

Cyber threats are encountered all over the world, and now one of the most crucial areas to focus upon. On a rough survey, Business face over 1000s of attacks every day to disrupt business operations. In similar situation, Organizations have suffered ransomeware attacks which not only affected their operations but also lost control over critical data important to run business.

The pandemic created an opportunity for e-commerce and other e-business to trade virtually. This also lured cyber criminals to conduct massive cyber-attack globally. Since Covid-19, In-person communications have shifted to virtual communication and the business are done over the internet. Considering everyone has to work from home, it opened up possibility for cyber criminals to explore the weak spot where attention was needed for a long time.

Pakistani infrastructure has been attacked several times, including- the banking sector, and public sector. Back in 2013, it was the first time when some of the bank’s website and in some cases their online banking system was comrpomised by Cyber Criminals. Started from Soneri Bank’s online banking system, Allied, HBL, Tameer, MCB, and Burj Bank website had been hacked and defaced within a week.

According to the few resources available online, cyber criminals had suggested and warned the bank before the defacement but it was not considered. As a result, they carried out defacement with a clear message and announcement to uplift the bank security measurements and overall infrastructure.


The back to back bank hack seven years ago raised severe concerns about Pakistan’s security standards and posture. While companies in other countries embrace the best information security practices to protect their infrastructures against the vulnerabilities and security flaws, Pakistan is reluctant towards the importance of data protection and Personal Identifiable Information (PII). The common perception for consumer and user privacy is unheard of in many local organizations across the country.

It was not a long time when one of the most significant cyber security incident was reported in 2018 and Bank Islami came into the spotlight for fraudulent payments through ATM and POS from different countries due infrastructure getting compromised. The bank tried to hide the breach until the hackers possibly used dark web to publish payment cards and PINs for sale for about $75, and it made the bank temporarily shut down all transactions routing through the international payment schemes.

Later on, the State bank of Pakistan released ERD/M&PRD/PR/01/2018–91, and instructed banks about the security breach of payment cards and to take all necessary measures to trace the vulnerabilities. Furthermore, SBP also issued directive to all banks to ensure security measures on all IT systems and those related to card operations are continuously updated to meet any challenges in future.

While relying on technology, organizations often missed out on the essential aspects, i.e., the risk of online stored information and data. Not too before October 2020, a local transportation and logistics startup named “Bykea” experienced a data breach where cyber criminals managed to interrupt and delete the whole database, while the company survived safe due to their backups.

However, the data remains unaffected, yet organizations need to understand their responsibilities and do everything possible to shield those who rely on them to keep their data unharmed.

In April 2020, Pakistan based cybersecurity company name- Rewterz found out the data dump of 115 million Pakistan’s mobile user on sale for 300 BTC over the dark web. The company further stated that the stolen data includes users’ data — Name, address, mobile, CNIC, and Tax number.


Data are the assets of any business, and it is not that organization does not understand the significance of their holdings in the digital world’s age. It is mainly that many organizations cannot comprehend the value of their data and, thus, cannot mitigate the risk wherever it breathes.

Another data breach was observed in 2018 when the data was exposed because of Punjab Information Technology Board’s unregulated e-governance app connected with the API of NADRA. It has been called the most notable data leak in the history of Pakistan to the date.

In 2018, another Ride-hailing service, “Careem,” suffered a data break due to unauthorized access to the system, resulting in data theft of over 14 million users- both Customers and Captain. However, they assured the personal user data, i.e., credit card and password, were safe as they kept those data on a third-party PCP complaint server.

Succeeding on, Careem put all the security measures, informed, and directed its users with a series of precautions, so it doesn’t happen again in the future.

But after all the things happened, where the privacy concerns have been rapidly increased worldwide, this area remains neglected over all these years within the country. In the negligence, Pakistan has witnessed the most reluctant behavior towards the consumer data protection in September 2020 when the only electricity provider company of Karachi named- K-electric hit by the ransomware, followed in suspension of online billing service.

Initially, cyber criminals had threatened to leak the confidential data if the payment was not given before the final deadline. Here not to forget, K-Electric has access to sensitive information, and this ransomware has left thousands of consumers exposed to online menaces -both present and in the future.

But regrettably, the careless attitude towards the value of confidential data and cybersecurity has left the organization at open attacks and risk, as hackers dumped the data worth 8.5 GB over the dark web. The record has information- such as Customer’s Names, CNICs, Addresses, and Bank accounts details after the deadline expires on September 30, 2020.


There will always be new threats, new risks, and unknown exploits that organizations have to predict and prepare. Through lessons learned from surroundings, proactive backup, disaster recovery plans, vulnerability management, training, and awareness- organizations can prevent ransomware problems.

Multiple factors keep Pakistan lagging in terms of data protection. The primary defect is that Pakistan does not have any effective strategy or law to deal with the threats, nor is there any data protection law on which users and customers can demand companies for the full disclosure of data exposed and leak. The Crime Prevention Act Law 2007/2008 lacks both offensive and defensive cybersecurity capabilities and other cybersecurity realm aspects. Another factor, many organizations are reluctant to invest in its Information and Security Department, and the absence of law gives companies leverage since they cannot be taken to responsibility for the compromise of confidential user data.

Additionally, citizens need to ensure that their information is kept secure and they must be aware of the law and the rights implicitly. Sadly, Pakistan has no particular law against data protection on which companies would be bound to follow the policy. With increasing cyber threats, it is now a high need to release new rules to protect consumers’ confidential data from possible attacks.


Dealing with Information Security as my Day Job and Information Security Research at night. Co-organizer for #BSidesIslamabad advocate for #HackingIsNotACrime

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store