Both TechJuice and Pro Pakistani reported a PITB data breach. I urge you to read both stories especially the one on TechJuice. It’s comprehensive and very well written. And pretty damning too. There is a lot to unpack. I will do it quote by quote. From TechJuice:
Sensitive information of millions of Pakistani citizens may have been compromised in what can be dubbed as the biggest data breach of Pakistan.
In August last year, ProPakistani reported that Punjab Information Technology Board (PITB) has exposed sensitive data of thousands of individuals that comprised of CNICs and scanned copies of personal documents. According to PITB, a bug that attributed to this exposition was taken care of, however, no comments were made on the possession of leaked data.
Nine months later, PITB is yet again in deep waters after it was revealed that sensitive information acquired through various PITB portals is now being sold publicly. This information comprises of personal and family data held by NADRA, criminal records tracked by the Police and call data recorded by telecom companies.
First, a little context. I sometimes feel everything that happens in Silicon Valley starts to happen elsewhere as well. It probably has to do with the similarities between how software systems are built and, pertinently here, potential security loopholes inside them. But past couple of years have been tough for companies operating on massive amounts of data. Even Silicon Valley (the show) threw a jab on them in its latest episode. So it’s natural that data breaches and misconducts have started to happen elsewhere as well.
How did this happen?
From TechJuice again:
The breach traces back to when PITB gained access to NADRA’s server after it was allowed to digitize the data of citizens by linking CNIC numbers to various public departments. This data could only be accessed through authorized users, however, it is now being alleged that these officials shared their credentials which were used for extraction and trading of sensitive information of Pakistani citizens.
More specifically it was AgriLoan, an application built by PITB, that’s to blame. From the article again:
PITB has developed various portals for digitizing diverse sectors. One such portal is AgriLoan that was developed to boost the agriculture sector of Pakistan. The portal service provides loans to small farmers through a convenient process in which all of the data is automated and can be accessed easily just by entering the CNIC of a registered farmer. PITB’s website states that all “stakeholders can access the database of over 350,000 registered farmers”. However, with reports of the recent data breach, it is evident that various unauthorized personnel also gained access to this database.
Upon research, TechJuice discovered that login credentials for Lahore and Sargodha districts were publicly shared for free. The username and password for the authorized access also appeared to be identical, indicating a huge security lapse. They also posted a step by step guide to help other users extract information from the portal.
The AgriLoan login panel was accessible till yesterday, however, the link is not working today. A tutorial on YouTube also explains how to extract CNIC data from the AgriLoan portal. The tutorial uses the same credentials for the Lahore district as revealed by the Facebook user above.
Leave the above Silicon Valley context aside. Because this is not a breach or an attack. It’s gross incompetence. Perhaps the most sensitive information in the country is protected by “lahore_district” and “lahore_district” username/password. NADRA pinned the blame on PITB. Because why not. And oh, they did one more thing. They gave PITB a timeline to fix this. Yes, a timeline. They didn’t revoke the access immediately. They gave a timeline.
Response from PITB
Perhaps the most perplexing thing, at least to me, in all this was the response from PITB. To be specific from Umar Saif. First, he told Pro Pakistani (via TechJuice):
The same media outlet also reached out to Dr. Umar Saif, who said that they are actively revoking the access of their portals and applications, while also launching inquiries and action against alleged personnel. He said that all instances have been resolved and they are actively blocking any breach of authorization. However, he did not comment on the absence of security protocols that were not deployed by PITB in the apps and portals under question.
Seems like a statement that I would expect from him. Fixing what he realized is broken and silent about things he is not completely sure of. You can’t blame him if someone from his large team chooses a stupid username/password like that. So what you do? You don’t say anything but you understand what you need to do. It’s not my fault but I share the responsibility. All good. But then he started tweeting. First these two:
For one these are not the statements of a person who knows what he is doing. And second, when you are being accused of something you don’t respond with a threat. At least not until you have clarified what has happened (from what’s on TechJuice you can’t assume nothing has happened), how are you planning to deal with it and finally distinguish the smoke from the fire. And let the public be the judge of the whole situation.
He ended with this.
Much calmer, but it’s still a statement of denial. Let’s assume it was just smoke. Wouldn’t be wise to address the smoke rather than denying it? But there is no explanation which creates more room for “fake news”. Instead, the message is toned towards media reporters. Which the man of his stature should not be worrying about. Especially when nothing has happened—according to him. But I might just happen to have an explanation for this.
Years ago I wrote a critical piece on a startup at an early growth stage. The founder, who is now an acquittance, sent me an angry email. Not because what I said was wrong (in hindsight the article was a bit off). But questioning my right to say it. In his mind, he was changing Pakistan. And my article hurt his and company’s reputation. In my mind, I was trying to do my job and possibly helping him. It just happened that I disagreed on some of the product decisions he was making. And wrote about them on a publication meant for such articles. You would think we have come a long way.
Unfortunately, the situation hasn’t changed much. Most founders still focus too much on themselves. And not so much on the product, the business model or the customer experience. The people in the ecosystem are not helping because they are treating the founders like angels. You are not supposed to speak against them. Yes, what they are doing probably does not make sense, and sometimes even gross, but it’s alright because they are being bold. And courageous, something news reporters and writers are not—for some reason.
It’s a mentality that has taken us nowhere. And we are still wondering if there ever going to be a unicorn? And will we ever be able to break through? On the same grounds digitizing government is a great step forward. But it’s just that. A great step forward. Or maybe a GREAT step forward. But it’s not noble in entirety. There are always going to be consequences. Naturally, some of them are going to be bad. And it’s under-appreciation of those that lead to tweets like these. Yes, I am more concerned about the tweets than the data breach. Because I am certain Umar Saif and his team can, if not already, fix the latter.