Pakistan’s cyber insecurity: A growing threat

A recent global report by cybersecurity company Kaspersky underscores Pakistan’s continued vulnerability to a range of cyber threats, including phishing attacks, malware, and spyware. The report highlights the prevalence of backdoors, keyloggers, and trojans, which are often used for data theft and to enable more severe attacks like ransomware.

Pakistan’s cybersecurity landscape is fraught with dangers. Threats include hacking, identity theft, cyberbullying, cyberstalking, spoofing, financial fraud, digital piracy, viruses, worms, malicious software, intellectual property rights violations, money laundering, denial-of-service (DoS) attacks, electronic terrorism, vandalism, and pornography. Pakistan is especially vulnerable to malware such as Gamarue, Skeeya, and Peals, which can install additional malicious software and steal personal data. The threat of Distributed Denial of Service (DDoS) attacks—where attackers use compromised computers to overwhelm systems—adds another layer of risk, particularly in sectors like banking.

Pakistan’s cybersecurity shortcomings are exemplified by several high-profile incidents. A joint investigation team recently confirmed that the personal data of 2.7 million Pakistanis was stolen from the National Database and Registration Authority (NADRA) between 2019 and 2023. This data was transferred to Dubai and eventually sold in Argentina and Romania. This breach raises significant concerns about the country’s ability to protect sensitive information. Beyond the immediate theft, this incident has far-reaching implications, including the risk of identity theft and financial fraud.

The breach highlights Pakistan’s lack of preparedness in terms of legislation, policy, and implementation to tackle these threats. This incident underscores the need for stronger cybersecurity measures and comprehensive data protection laws. 

Pakistan’s cybersecurity framework includes the Prevention of Electronic Crimes Act (PECA) 2016, which covers a range of cybercrimes such as unauthorized access to information systems, data theft, electronic fraud, and cyberstalking. However, the enforcement of these laws remains weak, and the protection of personal data is insufficient. PECA is often criticized for its lack of clarity and implementation, leaving gaps that hackers can exploit.

In May 2023, the Ministry of Information Technology and Telecommunication (MOITT) introduced the Personal Data Protection Bill 2023, which is yet to be passed into law. While the bill aims to strengthen data protection, it has been criticized for several shortcomings. Critics point to its vague exceptions, such as broad terms like "national security," "public interest," and "legitimate interest," which could dilute its effectiveness.

The banking sector in Pakistan is particularly susceptible to cyber-attacks. In 2018, almost every Pakistani bank was targeted in a cyberattack, resulting in the theft of customer data and a loss of public trust. For instance, over 19,000 card details from 22 banks were stolen, and sensitive information such as contact numbers, credit card details, and personal data was compromised. Hackers demanded payment in cryptocurrencies like Bitcoin. Cyberattacks have also impacted other sectors, including the Federal Board of Revenue (FBR), which suffered a breach compromising the data of millions of taxpayers, and utility companies like K-Electric, which faced a disruptive attack.

The Federal Investigation Agency’s (FIA) National Response Centre for Cyber Crime (NR3C) has also been targeted in these breaches, exposing the critical need for more robust cybersecurity measures.

Malware development remains rampant, with new tools such as Lumma and Redline becoming popular among cybercriminals. These malware programs are often sold on the dark web, where hackers buy stolen login credentials, with prices starting at $10 per log file. These credentials enable a variety of cybercrimes, from financial theft to social engineering and impersonation.

Hafeez Rahman, a technical group manager at Kaspersky, notes that the dark web is thriving with new malware types, making it crucial for individuals and companies to remain vigilant against potential threats.

Despite formulating the Digital Pakistan Policy in 2017, Pakistan still lacks a comprehensive cybersecurity policy. The absence of a dedicated agency responsible for cybersecurity further compounds the problem. The NR3C, while handling cybercrime investigations, remains under-resourced and ill-equipped to tackle the complexities of modern cyber threats.

According to Symantec, Pakistan ranks among the top ten countries most vulnerable to cyberattacks. The country’s exposure to cyber threats is exacerbated by a lack of legal, technical, and organizational measures. There is also a severe shortage of skilled cybersecurity professionals. Existing defense and enforcement mechanisms are inadequate, and current legislation is insufficient to protect the nation’s digital assets.

Pakistan faces a growing cybersecurity crisis. From high-profile data breaches to widespread financial and institutional vulnerabilities, the nation’s digital infrastructure is ill-prepared to deal with evolving cyber threats. While laws such as PECA and the Personal Data Protection Bill are steps in the right direction, their enforcement remains lacking. Without greater investment in cybersecurity infrastructure, legislation, and professional training, Pakistan will continue to be a prime target for cybercriminals. The time to act is now—before the next breach hits.