ISLAMABAD: After the publication of a detailed story in The News on Sunday by this correspondent, Nadra has issued a detailed statement confirming the data theft of Army Chief’s family. It also said that Nadra Chairman Tariq Malik was away on leave abroad when this incident took place, however, there is still a missing point why the junior staff of the organisation was suspended and still facing the consequences of the alleged crime carried out by some bigwigs. Below is the detailed version of Nadra:
About the news item published in The News captioning “Nadra finalises probe into illegal access to COAS family’s data’ dated April 02, 2023, it is to clarify that the subject probe into illegal access to COAS family’s data is a continuation of Nadra’s stringent measures to protect the citizens’ data from unauthorised access, when he sought help from premier security agency upon assumption of charge as chairman Nadra in June 2021.
Nadra provides identity verification services to various sectors, including financial institutions, the telecommunication industry, government institutions and law enforcement agencies for their legitimate usage. All of these institutions are accessing the verification services of Nadra under a legally signed contract, including a non-disclosure agreement.
Sadly, multiple users of different organisations had accessed the data of General Asim Munir before he was appointed Chief of Army Staff (COAS), which seemingly was done with illegitimate motives. Other than Nadra, nine institutions including law enforcement agencies, banks and housing authorities accessed the COAS’s family data.
About the ongoing inquiry, COAS’s family data was accessed in absence of Nadra Chairman Tariq Malik, who was on ex-Pakistan leave (on official assignment) in November 2022.
It is pertinent to further mention that Nadra Chairman Tariq Malik started an exercise to check who unauthorisedly had an access to his own personal data. It transpired through data analytics that 24 users accessed his personal data in November 2021. The scope of this exercise was then broadened to all the notable politicians, office holders and prominent public figures in early 2022. This led to a startling revelation that various institutions including law enforcement agencies, banks and housing authority accessed unauthorisedly the personal data of leading politicians and government functionaries.
Keeping data breach in view, Tariq Malik immediately put an end to a prevalent practice of unnecessarily checking citizens’ data unauthorisedly by taking certain measures. Safeguarding citizens’ data at best and preventing any illegal or unauthorised access to it, Nadra has rolled out an unprecedented Data Protection Regime i.e. a multi-layered control mechanism along with a host of other measures for the security and protection of citizens’ data. Besides that, all other institutions were also informed about the breach of data from respective platforms and urged to take necessary action in a bid to avoid such unwarranted incidents in future.
Consequently, zero tolerance policy protocol was implemented for adherence at all levels of the authority. It is pertinent to mention that on assumption of charge in June 2021, Tariq Malik voluntarily gave up the “super access” to the citizens’ personal data and implemented an IA-based automated auditing software to keep an eye on 22 thousand employees of Nadra.
In this regard, Tariq Malik had forewarned all the employees of the authority with respect to data protection regime through official communication respectively on 18th November 2022, 19th December 2022 and 3rd February 2023. The employees were duly informed that Artificial Intelligence-based system had been implemented to protect citizens’ data by monitoring the behaviour and working of all employees at work place. Unauthorised access to citizens’ data is a non-bailable offense under Section 28 of Nadra Ordinance 2000 punishable with imprisonment of 5 years, fine of 1 million or both.
This system had, at various times, effectively thwarted attempts by employees to gain unauthorised access to citizens’ personal and family information by means of proactive auditing software and security checks.
The auditing software resultantly held to identify more than three thousand employees’ user access which had been reviewed and withdrawn. This helped to initiate inquires against 377 employees terminating 131 employees who unauthorisedly accessed the citizens’ data. Stern action as per Government Servants (Efficiency & Discipline) Rules 1973 will also be taken against all in this regard.
Further strengthening the mechanism of data protection, Nadra introduced a multi-biometric verification system on 23rd December 2022 to obviate the fraudulent issuance of cellular sims and to make the illegal use of fake fingerprints impossible.
In another significant development to protect the privacy of citizens data in the wake of March 2023, Nadra launched ‘Ijazat Aap ki’ service, a revolutionary initiative that outs citizens in charge of their own personal data. The cutting-edge service empowered citizens to give their consent before verification of the CNIC, ensuring that their sensitive data is protected and secure at all times.
Reinforcing Nadra’s commitment to maintain security and integrity of citizens’ data and validating the security built into the application design & processes, Tariq Malik revived its information security department, which was earlier made dysfunctional in 2014. Such initiative helped the authority to implement Defense in Depth as security strategy that leverages security measures at different layers to protect an organisation’s digital assets. Security by default (SbD) and privacy by design (PbD) protocols are two fundamental strategies at the heart of authority’s product and service development life cycle.
Following this commitment, Nadra achieved ISO 27001 certification for its security and privacy implementations in December 2023.
While walking an extra mile, Nadra Chairman Tariq Malik wrote a letter to the President of Google (Asia Pacific) in February 2023 and expressed his concern about the personal data of residents of Pakistan being illegally put on sale by fraudulently impersonating the authority. In response, Google has so far removed 22 illegitimate apps (selling/phishing personal data) and websites.
As regards to the ongoing probe into the COAS family’s data, the Nadra chairman ordered the inquiry which is in the closing phase. The culprits from DGs to the data entry operator have been identified. The inquiry will soon be taken to a logical conclusion.