Islamabad — Pakistan’s telecom regulator has confirmed that the personal information of an estimated 300,000 to 350,000 people who applied for Hajj is circulating on the dark web, a revelation that has triggered official investigations and renewed demands for a long-delayed national data protection law.
Chairman of the Pakistan Telecommunication Authority (PTA), Major General (R) Hafeez-ur-Rehman, told a Senate Standing Committee on Information Technology that the breach affects hundreds of thousands of citizens and first surfaced in 2022. The disclosure was made during a high-profile briefing chaired by Senator Palwasha Khan.
Key Facts
Scale of exposure: The leak involves roughly 300,000 individuals, with some reports placing the figure as high as 350,000.
First appearance: PTA acknowledged the dataset was first detected on the dark web in 2022, prompting an internal inquiry at the time.
Data types compromised: Reports indicate the stolen records include SIM-owner information, call logs, residential addresses, copies of national ID cards (CNICs), and in some cases, banking details and international travel histories. Such information could be weaponized for identity theft, SIM swapping, and targeted scams. [Biometric Update]
SIM ownership data: PTA emphasized that SIM records are held by telecom companies rather than a central government database. Nonetheless, aggregated sets of this information have been compiled and sold — including, reportedly, the PTA chairman’s own SIM records.
Official Response
The Ministry of Interior and specialized cybercrime units have launched inquiries into the breach. PTA has urged a comprehensive forensic investigation to determine how the data was stolen and to identify the actors behind the leak. Members of the Senate committee expressed frustration over repeated lapses in digital security and called for greater accountability. [Geo News]
Legal Vacuum
Pakistan remains without a comprehensive data protection law despite years of drafting and debate. A proposed Personal Data Protection Bill, modeled in part on international frameworks such as the EU’s GDPR, has been prepared by the Ministry of IT and Telecommunications and even cleared by the federal cabinet in draft form. Yet it remains stalled in Parliament. Experts and lawmakers alike warn that this regulatory gap leaves citizens vulnerable to repeated breaches with limited avenues for redress.
What We Still Don’t Know
Source of breach: Public reporting suggests the leaked dataset may have been assembled from multiple institutions, but the precise entry points — whether government databases, private contractors, or telecom operators — remain unidentified. No forensic attribution has been made public.
Scope and freshness: While the data first appeared on the dark web in 2022, it is unclear whether the listings now circulating are entirely historical or if new exfiltrations have occurred more recently. PTA’s testimony suggests the information continues to be available, fueling uncertainty about the scale of ongoing risk.
A Growing Security Challenge
The disclosure highlights the fragile state of Pakistan’s digital infrastructure and the urgent need for enforceable privacy protections. Without a binding legal framework, analysts warn, such breaches are likely to recur — putting millions of citizens at risk of identity theft, financial fraud, and state-level cyber vulnerabilities.
