Hackers Post 0.35 Million Hajj Applicants’ Data on Dark Web 

Lawmakers have been alarmed by Hajj applicants’ data on the dark web, SIM and NADRA breaches, and the delay in the Data Protection Bill.

The Senate Standing Committee on Information Technology, chaired by Senator Palwasha Khan, on Friday voiced serious concerns over a series of alarming revelations about the security of Pakistan’s national data. Cabinet approves National Cyber Security Policy

During marathon sessions, members were briefed on multiple breaches that have exposed sensitive information of citizens, including Hajj applicants and SIM card users. Lawmakers also questioned the government’s failure to enact a long-awaited Data Protection Bill.

The most shocking disclosure came from the Pakistan Telecommunication Authority (PTA) Chairman. He confirmed that the personal information of around 350,000 Hajj applicants had been compromised and posted on the dark web.

“This is indeed a very serious matter. The protection of Pakistan’s data must be ensured,” he told the committee. He further explained that investigations were underway to identify how the breach occurred and whether it was part of a new wave of leaks or connected to earlier incidents reported in 2022.

Committee chairperson Palwasha Khan also pressed the officials on whether the newly established National Cyber Crime Agency (NCCA) which is still in its early stages, was capable of handling such a major responsibility. “This NCCA is new — how will it manage such a huge responsibility?” she asked. 

The PTA chief responded that the Interior Ministry had tasked NCCA with leading the inquiry, but questions over its capacity remained.

Lawmakers also raised concerns over potential breaches of Election Commission records. “Has data also been leaked from the Election Commission?” asked the chairperson. 

However, Senator Afnanullah clarified that voter rolls were already public and thus posed a different level of risk compared to more sensitive databases. 

Still, he warned of the dangers posed by the exposure of information held by NADRA, which contains the biometric and personal data of nearly every citizen. 

“If our NADRA data has been stolen, this is a huge disaster,” he stressed, adding that failure to protect national databases represented “a very big failure.”

The PTA chairman further admitted that his own SIM card information had been available on the dark web since 2022. He underscored the vulnerability of telecom records. He said inquiries into earlier breaches had confirmed that SIM-related data was stored with companies, but significant lapses allowed hackers to access and circulate it online. “So far, according to my information, SIM data is included,” he told the committee.

Committee members drew parallels with international experiences to emphasize the gravity of the situation. Senator Afnanullah pointed to Iran, claiming that during wartime, stolen data had been used against the country, leading to missile strikes. 

Senator Kamran Murtaza noted that in past hostilities with India, Pakistan had access to Indian data, which gave it a strategic advantage. “Our data should have been in safe hands,” he argued, warning that Pakistan’s inability to protect its own information could expose it to similar threats.

Much of the debate revolved around the stalled Data Protection Bill, which has yet to be presented in Parliament despite cabinet approval. “Why haven’t you brought the Data Protection Bill?” questioned committee chairperson Palwasha Khan. 

Senator Afnanullah expressed frustration, saying, “I worked so much on this bill, but even after cabinet approval it has not been tabled.” He accused certain quarters of blocking legislation that could safeguard citizens’ privacy. “The law that would stop this data theft is the very law we are not being allowed to enact,” he warned.

Officials from the Ministry of IT responded that some reservations still existed and the draft was being reviewed. But committee members were not convinced. Palwasha Khan labeled the delay “ministerial incompetence,” adding that the absence of the IT Minister from key committee sessions further reflected the government’s lack of seriousness. 

“The IT Minister does not attend committee meetings,” she complained. Ministry officials countered that the minister had attended other committees, but the chairperson insisted she would obtain a full attendance record to verify the claim.

The senators underscored that the consequences of repeated breaches were not only a matter of governance but also national security. “Data theft will have very dangerous consequences,” said Afnanullah, adding that Pakistan was paradoxically providing protection to foreign companies while leaving its own citizens exposed.

The committee reaffirmed its demand for urgent action. Members called for the immediate strengthening of cybercrime institutions, passage of the Data Protection Bill, and greater accountability from ministries tasked with safeguarding sensitive records.

“Ensuring data protection is not just a technical matter; it is a matter of national security and public trust,” said the chairperson. Until meaningful reforms are enacted, lawmakers warned, Pakistan’s citizens will remain vulnerable to both domestic exploitation and external threats.