0
The National Cyber Emergency Services Response Team (PKCERT) on Wednesday issued data protection guidelines for organisations handling citizens’ personal information, citing an increasingly insecure cyberspace environment.
PKCERT is a federal entity responsible for protecting Pakistan’s digital assets, sensitive information and critical infrastructure from cyberattacks, cyberterrorism, and cyber espionage.
The advisory, applicable to companies holding Personally Identifiable Information (PII), prescribes immediate, medium- and long-term measures, which include classifying data sets based on their sensitivity, advanced encryption methods, multi-factor authentication, and others.
Organisations collecting, processing, storing, or transmitting PII may include “financial services, telecommunications and internet providers, commerce and logistics [companies], government agencies, healthcare institutions, educational entities, as well as third-party and outsourced service providers,” the notification said.
In its recommendations, PKCERT instructed companies to keep their PII handling systems updated, retain PII only for legally required durations, and dispose of outdated information lest it be stolen.
It also urged organisations to align their practices with the National Cyber Security Policy 2021 (NCSP) as well as the Prevention of Electronic Crimes Act 2016.
The NCSP “mandates safeguarding the confidentiality, integrity, and availability of citizens’ personal data as a matter of national security and public trust,” reads the advisory.
PKCERT also called for an immediate review of the systems organisations have been using to handle PII, recommended security training for all staff handling personal information, as well as continuous monitoring to prevent unauthorised access.
Outlining possible vulnerabilities and threats, the cybersecurity body underscored the need for data protection, noting that in light of “the growing sophistication of cybercriminals, the widespread exploitation of misconfigured systems, and negligent data handling practices, urgent remediation measures are required.”
The advisory detailed that threat actors may include:
- Cybercriminal Gangs: Monetising stolen PII via identity fraud, phishing kits, and dark web marketplaces.
- State-Sponsored APT Groups: Using compromised citizen data for surveillance, political manipulation, and intelligence gathering.
- Hacktivists: Targeting organisations for ideological reasons, often leaking sensitive records publicly.
- Malicious Insiders: Employees or contractors exploiting privileged access for personal gain or revenge.
According to PKCERT, inadequate data protection can lead to “identity theft, fraud, mass privacy breaches, operational disruption, erosion of public trust, national security risks and legal and regulatory consequences.”
In its recommendations to individuals, the advisory outlined preventative measures such as submitting CNIC and personal documents only when necessary, using strong passwords, enabling multi-factor authentication, and avoiding sharing personal information online.
In May, PKCERT issued an advisory warning that the login credentials and passwords of more than 180 million internet users in Pakistan had been stolen in a global data breach, and urged citizens to take immediate protective measures.
In March 2024, a Joint Investigation Team (JIT) formed to probe a data leak from the National Database and Registration Authority (Nadra) had found that the credentials of as many as 2.7 million citizens had been compromised between 2019 and 2023.
