On Nov. 5 panic broke out across Pakistan over media reports suggesting a major security breach had compromised banking data of millions, with the Federal investigation Agency’s (FIA) cybercrime wing going so far as to suggest data from “almost all” Pakistani banks had been stolen by hackers.
In a bid to stem the growing unease, the State Bank of Pakistan issued a statement claiming only one bank, BankIslami, had been affected in late October, and the rest of the country’s banking institutions remained secure. “There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency,” it added, referring to reports of the stolen banking data. Unsurprisingly, in the face of mounting evidence to the contrary, the public is unwilling to buy the clarification.
A report widely circulated on social media, compiled by Karachi-based cyber-security company PakCERT, claims the information of 19,864 debit cards issued by 22 Pakistani banks had been compromised and offered for sale on the dark web. Screenshots of the postings show the data being offered for sale at $100-$160, depending on the number of cards accessed. In addition, customers of all major banks have reported receiving text messages informing them that all online and international transactions have been temporarily restricted on debit card users, further raising anxiety levels.
Some experts have claimed that this data was likely stolen using ATM skimmers, a hacking device that steals debit card data from ATMs when customers use them to withdraw funds, rather than through cyber-hacking. Cyber-security experts, meanwhile, have urged anyone potentially affected to immediately cancel their debit cards and seek out replacements from banking institutions to avoid their data and funds from being exposed to risk. It is important to note that most banks have clarified that no chip-based credit cards have been affected—further fueling rumors that as only debit card details have been offered for sale, there must be some truth to the reports circulating online.
While the monetary damage may be significant, there is even greater risk of potential identity theft as many people’s debit card data includes security questions and ATM pins that could allow hackers to access their entire banking information. This is potentially very troubling as this data could be used by simple criminals or terrorists, exposing the affected to incredible jeopardy.
Whether or not a single bank, or 22 banks, was affected there can be no denying that this situation has exposed a major cyber-security issue in Pakistani banks that must be fixed. The government must step in and investigate and punish any people found responsible. It must also enact legislation requiring banks to strengthen their cyber-security to ensure something like this can be preempted in future. This incident was a wakeup call. We should not bury our heads under the covers in the hopes that it will just go away on its own.