Alleged massive NADRA breach does not include biometrics; evidence pending

A joint investigation team told Pakistan’s Interior Ministry this week that a breach from NADRA’s national identity database has been confirmed, Geo News reports. The announcement is the latest twist in a saga in which accusations and denials have been far more plentiful than presentations of evidence.

As many as 2.7 million people’s records are involved, according to investigators.

The joint investigation team was headed by an official from the Federal Investigation Agency (FIA). It says that data was stolen from servers in Multan, Karachi and Peshawar. The team recommended that legal action be taken against NADRA senior officials responsible at the time. The breach took place between 2019 and 2023, according to Geo. The Deccan Chronicle reports that an upgrade of NADRA’s technology is also recommended.

Usman Mobin served as chairman of NADRA from 2015 to 2021, and Tariq Malik served as chairman from June of 2021 to June of 2023. They are the only civilian heads of NADRA in the agency’s history. The agency is now chaired by Lieutenant General Muhammad Munir Afsar.

The report also contains sensational allegations of the data being traced to Argentina and Romania via Dubai.

A source familiar with the security incident who declined to be named tells Biometric Update that no biometric data was breached in the attack. The source confirmed that text data such as names, mobile numbers and addresses of NADRA-holders was breached.

The source said the breach was the result of a supply chain attack involving a PTCL router deployed to a NADRA facility in Multan, Punjab. The breach also began earlier than investigators claim, in 2016, according to the anonymous source.

Biometric Update is unable to confirm either the details provided by the FIA-led investigation or the anonymous source.

Perhaps most curious is uncertainty about whether the breach is new information. An FIA official told a parliamentary panel that a NADRA biometric database was compromised in November, 2021. The accusation was denied by NADRA, and Malik said at the time that the allegations were intended to sow chaos and undermine public trust in the institution.

Malik resigned amid a polarized political environment. This occurred shortly after NADRA sacked over a hundred employees for violations of data security measures, several of whom had been found responsible for leaking personal data belonging to a senior military official and his family following four investigations ordered by Malik, Dawn reported. NADRA had also introduced several data protection measures, including a system for notifying people when their records are accessed.

By then, the story of the NADRA breach had already had a winding journey, with an initial report denied in its entirety by the FIA as “not based on facts.”

Article Topics

biometrics  |  data protection  |  digital identity  |  identity management  |  NADRA  |  national ID  |  Pakistan