Cyber security deficiency led to data theft at SECP, report finds

Published August 29, 2022
Logo of the Securities and Exchange Commission of Pakistan. — Photo courtesy: SECP website
Logo of the Securities and Exchange Commission of Pakistan. — Photo courtesy: SECP website

ISLAMABAD An initial report suggests that the data stolen from the Securities and Exchange Commission of Pakistan’s web­site recently was mainly due to the absence of a proper and updated cyber security mechanism.

A group of hackers scrapped off data of the commission’s directors by using a weak digital link at its website. The initial report, however, suggested the hacking could have been averted had the department conducted in time a test known as “vulnerability and penetration testing” for its website and IT systems, which was due in February this year. Incidentally, the SECP has yet to carry out the test.

While the data scrapped from the SECP website incl­uded the names of companies and their directors, three items of crucial back-end information were siphoned off by the hackers — the CNIC numbers, permanent addresses and names of the directors’ fathers.

Some of this information has been placed at a website, www.companieshouse.pk, and the SECP, with the cooperation of the Pakistan Tele­communication Authority (PTA), has been able to close it down. The authorities have been asked to cancel the domain registration of companieshouse.pk.

Meanwhile, a federal government agency, the Nati­onal Telecommunication and Information Security Board (NTISB), has approached the SECP for a briefing on the matter. The briefing is scheduled for Sept 1.

Sources told Dawn that the NTISB had requested a security agency to be part of the briefing as it was aimed at ensuring data safety in all government departments as well as in regulatory bodies. The NTISB advises the federal government on security aspects of information and telecommunication technology. Its board includes heads of Nadra, PTA and NTC.

Although the SECP has not confirmed it, sources in the government say NTISB experts have already started the preliminary work and the second phase of investigations, including the ground check of SECP, will be conducted after the SECP briefing.

In reply to a question, an official said the quality assurance team had executed the initial vulnerability scan and all weak links at the website had been strengthened.

“All the application programming secret keys used for data exchange with government entities have been changed, and a third-party security audit firm to conduct an independent Vuln­erability and Penetration Testing (VAPT) of website has been hired,” a spokesperson said.

Debate continues at senior levels in the SECP over conducting an independent inquiry over the hacking not only to determine flaws in cyber security but also to ensure that none of the human resource in the commission was linked with the data siphoning by hackers.

Published in Dawn, August 29th, 2022

Follow Dawn Business on Twitter, LinkedIn, Instagram and Facebook for insights on business, finance and tech from Pakistan and across the world.

Opinion

Editorial

Military convictions
Updated 22 Dec, 2024

Military convictions

Pakistan’s democracy, still finding its feet, cannot afford such compromises on core democratic values.
Need for talks
22 Dec, 2024

Need for talks

FOR a long time now, the country has been in the grip of relentless political uncertainty, featuring the...
Vulnerable vaccinators
22 Dec, 2024

Vulnerable vaccinators

THE campaign to eradicate polio from Pakistan cannot succeed unless the safety of vaccinators and security personnel...
Strange claim
Updated 21 Dec, 2024

Strange claim

In all likelihood, Pakistan and US will continue to be ‘frenemies'.
Media strangulation
Updated 21 Dec, 2024

Media strangulation

Administration must decide whether it wishes to be remembered as an enabler or an executioner of press freedom.
Israeli rampage
21 Dec, 2024

Israeli rampage

ALONG with the genocide in Gaza, Israel has embarked on a regional rampage, attacking Arab and Muslim states with...