Leaky databases

Published May 15, 2022
The writer is a data privacy and technology law specialist.
The writer is a data privacy and technology law specialist.

LAST year in April, Pakistani social media was abuzz with complaints by bank customers about having their money stolen via fraudulent and unauthorised internet transactions, money transfers, asset transfers, etc. After days of chatter, the bank concerned released only a short press release in which it maintained that it did not suffer any data breach. The statement appeared to imply that the transactions occurred because customers provided their confidential PINs and other details via phishing attacks and by accepting payment requests from fraudulent sources. The netizens did not agree and the discourse continued.

The large number of victims and their geographical spread, along with the fact that many claimed to never have even activated their internet banking or never receiving OTPs for these transactions, suggests some form of data breach may indeed have occurred. It also indicates that sensitive personal data of many customers somehow went into the wrong hands, allowing attackers to access others’ accounts or use their debit or credit cards for online transactions.

Obviously, it is hard to say anything as not much information was given out by the bank. Victims’ concerns could thus not be allayed. Furthermore, it was unfortunate that the statutory regulator of commercial banks, the State Bank of Pakistan, was quick to reject the news later in the year that some banks had suffered a cybersecurity breach in Pakistan. One did not come across any news of a serious investigation being undertaken. Neither has the FIA, the concerned law-enforcement agency for cybercrime, thrown any light on such incidents and the progress surrounding their investigation.

We cannot live in fear of digital highway robbers.

As the world grows more interconnected via the internet, people have heavily begun to rely on digital banking services and other financial technological tools for the sake of convenience. This shift has been especially accelerated by a worldwide pandemic, which forced much of the world to rely more on digital spaces for many aspects of everyday life. From paying bills to transferring money, internet-based banking and its supporting services are here to stay. Hence, the solution to such a crisis cannot entail deactivating our digital banking services and becoming wary of internet transactions.

We cannot live in fear of digital highway robbers and expect to develop and grow as a nation. The solution is to increase our awareness of the digital world, improve the security of our systems, build stronger policies for the protection of our data, legislate more robust and consumer-friendly laws, and demand more services and better security from our banking institutions, our regulators and the law-enforcement agencies.

One highly effective tool to protect consumers from the ever-growing risk of cybersecurity breaches is to legislate data breach notification laws. Almost a global standard today, data breach notification laws require covered entities such as businesses, banks and government departments to keep logs detailing their systems’ security.

Whenever there is a belief or suspicion that there has been unauthorised access or acquisition of personal data of customers/ users, the covered entities are obligated to notify the affected persons, the regulators and law-enforcement agencies about the incident of data violation. The notification to the affected persons whose data has been potentially compromised needs to be sent as quickly as possible and should contain all the relevant details of the breach as well as appropriate advice to take immediate steps to protect themselves from the risk of identity theft. Failure to send these notifications makes the covered entity liable to civil penalties by the regulator or to be collectively sued by those private citizens who were harmed by the breach.

Currently, neither the SBP Regulations on the Security of Internet Banking (2015) nor the BPRD Circular No. 07 of 2016 on ‘Prevention of Cyber Attacks’, has this requirement (there is only a requirement for banks to report security breaches to the State Bank every quarter). Obviously, those in any industry or public department that utilise the personal data of the citizens of Pakistan will raise a hue and cry that such obligation will be very onerous and very costly to implement. But personal data can be manipulated by unknown actors if they gain access to it, and could be used by them to destroy our lives via identity theft and a whole host of other criminal activities

If we are to allow businesses and governmental departments to collect and use such sensitive personal data about us then we must ensure that our data is not only kept safe and secure but that if it is compromised, we are the first ones to hear about it.

The writer is a data privacy and technology law specialist.

Published in Dawn, May 15th, 2022

Opinion

Editorial

First steps
Updated 29 May, 2024

First steps

One hopes that this small change will pave the way for bigger things.
Rafah inferno
29 May, 2024

Rafah inferno

THE level of barbarity witnessed in Sunday’s Israeli air strike targeting a refugee camp in Rafah is shocking even...
On a whim
29 May, 2024

On a whim

THE sudden declaration of May 28 as a public holiday to observe Youm-i-Takbeer — the anniversary of Pakistan’s...
Afghan puzzle
Updated 28 May, 2024

Afghan puzzle

Unless these elements are neutralised, it will not be possible to have the upper hand over terrorist groups.
Attacking minorities
28 May, 2024

Attacking minorities

Mobs turn into executioners due to the authorities’ helplessness before these elements.
Persistent scourge
Updated 29 May, 2024

Persistent scourge

THE challenge of polio in Pakistan has reached a new nadir, drawing grave concerns from the Technical Advisory Group...