Leaky databases

Published May 15, 2022
The writer is a data privacy and technology law specialist.
The writer is a data privacy and technology law specialist.

LAST year in April, Pakistani social media was abuzz with complaints by bank customers about having their money stolen via fraudulent and unauthorised internet transactions, money transfers, asset transfers, etc. After days of chatter, the bank concerned released only a short press release in which it maintained that it did not suffer any data breach. The statement appeared to imply that the transactions occurred because customers provided their confidential PINs and other details via phishing attacks and by accepting payment requests from fraudulent sources. The netizens did not agree and the discourse continued.

The large number of victims and their geographical spread, along with the fact that many claimed to never have even activated their internet banking or never receiving OTPs for these transactions, suggests some form of data breach may indeed have occurred. It also indicates that sensitive personal data of many customers somehow went into the wrong hands, allowing attackers to access others’ accounts or use their debit or credit cards for online transactions.

Obviously, it is hard to say anything as not much information was given out by the bank. Victims’ concerns could thus not be allayed. Furthermore, it was unfortunate that the statutory regulator of commercial banks, the State Bank of Pakistan, was quick to reject the news later in the year that some banks had suffered a cybersecurity breach in Pakistan. One did not come across any news of a serious investigation being undertaken. Neither has the FIA, the concerned law-enforcement agency for cybercrime, thrown any light on such incidents and the progress surrounding their investigation.

We cannot live in fear of digital highway robbers.

As the world grows more interconnected via the internet, people have heavily begun to rely on digital banking services and other financial technological tools for the sake of convenience. This shift has been especially accelerated by a worldwide pandemic, which forced much of the world to rely more on digital spaces for many aspects of everyday life. From paying bills to transferring money, internet-based banking and its supporting services are here to stay. Hence, the solution to such a crisis cannot entail deactivating our digital banking services and becoming wary of internet transactions.

We cannot live in fear of digital highway robbers and expect to develop and grow as a nation. The solution is to increase our awareness of the digital world, improve the security of our systems, build stronger policies for the protection of our data, legislate more robust and consumer-friendly laws, and demand more services and better security from our banking institutions, our regulators and the law-enforcement agencies.

One highly effective tool to protect consumers from the ever-growing risk of cybersecurity breaches is to legislate data breach notification laws. Almost a global standard today, data breach notification laws require covered entities such as businesses, banks and government departments to keep logs detailing their systems’ security.

Whenever there is a belief or suspicion that there has been unauthorised access or acquisition of personal data of customers/ users, the covered entities are obligated to notify the affected persons, the regulators and law-enforcement agencies about the incident of data violation. The notification to the affected persons whose data has been potentially compromised needs to be sent as quickly as possible and should contain all the relevant details of the breach as well as appropriate advice to take immediate steps to protect themselves from the risk of identity theft. Failure to send these notifications makes the covered entity liable to civil penalties by the regulator or to be collectively sued by those private citizens who were harmed by the breach.

Currently, neither the SBP Regulations on the Security of Internet Banking (2015) nor the BPRD Circular No. 07 of 2016 on ‘Prevention of Cyber Attacks’, has this requirement (there is only a requirement for banks to report security breaches to the State Bank every quarter). Obviously, those in any industry or public department that utilise the personal data of the citizens of Pakistan will raise a hue and cry that such obligation will be very onerous and very costly to implement. But personal data can be manipulated by unknown actors if they gain access to it, and could be used by them to destroy our lives via identity theft and a whole host of other criminal activities

If we are to allow businesses and governmental departments to collect and use such sensitive personal data about us then we must ensure that our data is not only kept safe and secure but that if it is compromised, we are the first ones to hear about it.

The writer is a data privacy and technology law specialist.

Published in Dawn, May 15th, 2022

Opinion

Editorial

Defining extremism
Updated 18 Mar, 2024

Defining extremism

Redefining extremism may well be the first step to clamping down on advocacy for Palestine.
Climate in focus
18 Mar, 2024

Climate in focus

IN a welcome order by the Supreme Court, the new government has been tasked with providing a report on actions taken...
Growing rabies concern
18 Mar, 2024

Growing rabies concern

DOG-BITE is an old problem in Pakistan. Amid a surfeit of public health challenges, rabies now seems poised to ...
Provincial share
Updated 17 Mar, 2024

Provincial share

PPP has aptly advised Centre to worry about improving its tax collection rather than eying provinces’ share of tax revenues.
X-communication
17 Mar, 2024

X-communication

IT has now been a month since Pakistani authorities decided that the country must be cut off from one of the...
Stateless humanity
17 Mar, 2024

Stateless humanity

THE endless hostility between India and Pakistan has reduced prisoners to mere statistics. Although the two ...