Pakistan’s national data security framework came under intense scrutiny in the Senate Standing Committee on Information Technology and Telecommunication after lawmakers raised serious concerns that sensitive citizen information allegedly available on the dark web could expose millions of Pakistanis to identity theft and financial fraud. The issue was discussed during a meeting chaired by Senator Palwasha Mohammad Zai Khan.
During the briefing, lawmakers highlighted reports claiming that personal information of Pakistani citizens, including bank details, addresses and family records, could be purchased online for as little as Rs500. The matter sparked alarm among committee members as the National Database and Registration Authority (NADRA) is the custodian of data of nearly 240 million citizens.
Responding to the concerns, NADRA’s Chief Information Security Officer informed the committee that the information circulating on the dark web does not represent the full NADRA database. He explained that most leaked datasets contain between 4 and 15 data fields, whereas NADRA’s official citizen database contains 48 structured fields. According to the official, many of the fields appearing in leaked datasets such as utility bill information, educational records and other documents are not even collected by NADRA and may originate from other institutions where citizens submit copies of their identification documents.
However, the NADRA representative acknowledged that a past data breach involving approximately 2.3 million records had occurred. He clarified that the breach represented a small fraction compared to the country’s total population of around 240 million citizens.
To strengthen cyber security protections, NADRA informed the committee that it has deployed 1,400 firewalls across critical infrastructure and is implementing advanced monitoring mechanisms through a 24 hour Security Operations Center (SOC). The authority is also following the Pakistan Security Standard (PSS) framework ahead of its full national implementation in 2028.
Officials further briefed lawmakers on multiple security measures including third party cyber security audits, vulnerability assessments, penetration testing, secure software development protocols, web application firewalls, and compliance with ISO/IEC 27001 international information security standards. NADRA also conducted a bug bounty programme inviting ethical hackers, university students and cyber security firms to identify vulnerabilities in its live systems.
The committee was also briefed on the ICT Household Survey, under which data from approximately 94,000 households in Islamabad is being collected. Officials confirmed that the survey data is being stored on NADRA servers under the legal framework of the NADRA Ordinance 2000, which prescribes strict penalties for data breaches, including up to 14 years of rigorous imprisonment.
Officials from ICT informed the committee that the authority is currently developing a new door to door data collection application, which will eventually feed information directly into the National Data Repository. They also clarified that no data will be shared with any entity without authorization from the Ministry of Interior and Narcotics Control.
Despite these assurances, lawmakers stressed the seriousness of protecting national identity data. Members warned that any breach involving NADRA could have far reaching consequences for national security and citizens’ privacy.
Senator Talha Mahmood cited past cases of identity misuse and stressed the need for extreme vigilance given NADRA’s central role in Pakistan’s digital identity system. Committee members emphasized that their intention was not to accuse the authority but to sensitize it about the enormous responsibility it carries as the custodian of the country’s citizen database.
The chairperson of the committee also proposed a visit by lawmakers to NADRA’s facilities to review the security infrastructure firsthand and gain a deeper understanding of the systems protecting Pakistan’s national data infrastructure.
