Breach Notification , Governance & Risk Management , Incident & Breach Response

Pakistan's National Database Biometric Data Compromised

Pakistan's Federal Investigation Agency Says Biometric Data Leaked
Pakistan's National Database Biometric Data Compromised
Biometric data can be compromised, as appears to have happened at NADRA. (Source: Pixabay)

Tariq Pervez, additional director, cybercrime wing at Pakistan's lead investigation bureau, the Federal Investigation Agency, during a briefing to the National Assembly Standing Committee, revealed that the country's National Database and Registration Authority's biometric data has been compromised, according to a report by Pakistan daily Dawn.

See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting

Dawn initially reported that the biometric data from the National Database and Registration Authority, or NADRA, had been hacked. But Pervez later clarified that the data had been compromised, but not hacked.

The FIA additional director said that NADRA's biometric system had been compromised during the SIM card verification process, according to Dawn's article. Pervez reportedly told the national assembly that a crackdown in Faisalabad had led to the seizure of 13,000 fake SIM cards.

Pervez also told the national assembly that with only 162 investigating officers, FIA's cybercrime wing is unable to address the 89,000 complaints it has received thus far.

In February 2015, following the Peshawar school massacre, Pakistan's government made biometric verification mandatory for issuing mobile SIM cards.

Some publications, including ProPakistani daily newspaper The News, are continuing to report that the biometric data was hacked, but that's not the case, according to Pervez.

Rafay Baloch, lead security researcher at Cyber Citadel and former cybersecurity adviser to the Pakistan Telecommunication Authority, confirms to Information Security Media Group that NADRA's back-end data has not been hacked.

"I think the facts have been not been conveyed properly, or misrepresented," he says.

The data security and privacy protection capabilities of Pakistani telecom firms were put under the microscope when Pakistan-based cybersecurity firm Rewterz discovered that a data dump of 115 million Pakistani mobile users had been put up for sale on a dark web forum.

In September, NADRA rolled out a new feature in its app that could be used to capture the biometric data of Pakistani citizens, upload digital photographs and scan documents for processing national IDs.

In a LinkedIn post, Tariq Malik, chairperson and CEO of NADRA, said the initiative had served as a catalyst in digitalizing Pakistan. "To balance public convenience with protecting personal data, the NADRA platform deploys privacy-by-design and security-by-default principles coupled with multilevel authentication," he said.

NADRA officials have not responded to ISMG's request for confirmation of the recent data leak incident.

Exploiting Biometric Data

Although biometric data is perceived to be a stronger, more fool-proof identity matching and authentication mechanism compared to passwords and PINs, an Accenture study says that with increased adoption of biometric technologies, the incentive to attack biometric-enabled systems grows.

Baloch says that a user being tricked to give their biometric information is no different from users being tricked to share their passwords, PINs or answers to security questions.

According to Accenture's report, biometric fraud detection capabilities are still limited. This encourages cybercriminals to use impersonation techniques and obfuscation tactics, manipulating one's own biometric data to avoid recognition.

A review of state-of-the-art biometric technologies showed that all biometric recognition systems can be spoofed. Even iris scans and DNA-based systems are vulnerable to cyberattacks, the report says.

Accenture's researchers suggest that presenting attackers with a series of varied and unpredictable barriers can make their work not only more challenging, but also impossible to systemize.

About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24] Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.