Information technology expert breaks down just how bad NADRA data breach was

May 9, 2018

Naya Din team spoke to an IT expert, Faiz Ahmed Shuja, who broke down for us just how bad the data breach was.

Punjab’s IT board had access to NADRA records. The board set up mobile phone apps and gave them access to the records. Hackers got hold of this data and made quite some money out of it.

This is not the first time that NADRA’s data has been compromised. According to WikiLeaks and Julian Assange, American and British intelligence agencies acquired access to NADRA’s database and got hold of the identification records of Pakistanis. They obtained the data to track anyone that they may suspect to be involved in terrorism.

Naya Din team spoke to an IT expert, Faiz Ahmed Shuja, who broke down for us just how bad the data breach was.

According to Shuja, the data was leaked due to unregulated e-governance apps, such as those that sold online tickets of cricket matches in Pakistan. “NADRA provides access to different government organisations,” he said. “For example, when you go to buy a mobile phone SIM, you provide your fingerprints.” He said that your fingerprints are used to match with your NADRA data to verify your identity.

NADRA had given this kind of access to different government departments as well as the Punjab Information Technology Board (PITB), said Shuja. He said that PITB launched an application to sell cricket match tickets. “People would give their ID credentials and get their tickets,” he said. “These applications have been misused.”

According to the IT expert, the apps had certain weaknesses and hackers exploited them.

“Were there no firewalls?” asked Naya Din host Ali Arif. “Such applications are everywhere in the world. Were there no precautions in place?”

Shuja said that even though security is multi-layered, apps contain certain glitches. “In technical terminologies, we call it the API,” he said. “The API connects your application to the backend database [of NADRA].”

“Were the APIs exposed?” asked another host of Naya Din, Muhammed Shuaeb.

The APIs were exposed and, therefore, no authentication was required to access NADRA’s data, said Shuja. “And it’s quite alarming as you can see all the ID card information with your picture, your family tree, your traffic records and the hotels you have checked in along with the date and time [getting leaked],” he said. “The data is there on the backend. There was no security and the hackers misused the APIs and obtained the data.”

Who is responsible?

“Is there a possibility of NADRA’s role?” asked Shuaeb.

According to Shuja, NADRA and all the organisations involved have a role. “You can’t pin the blame on a single entity,” he said.

“You need to ensure security at every level,” said Shuja.

What can be done?

E-governance comes with a set of standards, regulations and best practices across the world, said Shuja. “If you give access to someone, you’ll follow these standards and you’ll maintain a certain security level,” he said. “For example, if you’re giving access to NADRA data in a cricket application, it should be limited.”

What can be done about the leaked data?

“Most countries have an emergency response team that investigates such issues,” said the IT expert. “So far, we haven’t had such an investigation.”

“Do we have such an investigation team?” asked Arif.

Shuja said we have a “reactive” team that conducts investigations after an incident happens. “But you need to have certain proactive measures,” he said. “There should be incidence response teams that contain an attack right away.”

He said that digitisation of government facilities should happen as it allows easy access to citizens. “But this should happen in a controlled environment with regulations in place,” he said.

As for NADRA, he said the authority should provide only what is required to government apps instead of giving them complete access to all its data.