Cyber security deficiency led to data theft at SECP, report finds
ISLAMABAD An initial report suggests that the data stolen from the Securities and Exchange Commission of Pakistan’s website recently was mainly due to the absence of a proper and updated cyber security mechanism.
A group of hackers scrapped off data of the commission’s directors by using a weak digital link at its website. The initial report, however, suggested the hacking could have been averted had the department conducted in time a test known as “vulnerability and penetration testing” for its website and IT systems, which was due in February this year. Incidentally, the SECP has yet to carry out the test.
While the data scrapped from the SECP website included the names of companies and their directors, three items of crucial back-end information were siphoned off by the hackers — the CNIC numbers, permanent addresses and names of the directors’ fathers.
Some of this information has been placed at a website, www.companieshouse.pk, and the SECP, with the cooperation of the Pakistan Telecommunication Authority (PTA), has been able to close it down. The authorities have been asked to cancel the domain registration of companieshouse.pk.
Meanwhile, a federal government agency, the National Telecommunication and Information Security Board (NTISB), has approached the SECP for a briefing on the matter. The briefing is scheduled for Sept 1.
Sources told Dawn that the NTISB had requested a security agency to be part of the briefing as it was aimed at ensuring data safety in all government departments as well as in regulatory bodies. The NTISB advises the federal government on security aspects of information and telecommunication technology. Its board includes heads of Nadra, PTA and NTC.
Although the SECP has not confirmed it, sources in the government say NTISB experts have already started the preliminary work and the second phase of investigations, including the ground check of SECP, will be conducted after the SECP briefing.
In reply to a question, an official said the quality assurance team had executed the initial vulnerability scan and all weak links at the website had been strengthened.
“All the application programming secret keys used for data exchange with government entities have been changed, and a third-party security audit firm to conduct an independent Vulnerability and Penetration Testing (VAPT) of website has been hired,” a spokesperson said.
Debate continues at senior levels in the SECP over conducting an independent inquiry over the hacking not only to determine flaws in cyber security but also to ensure that none of the human resource in the commission was linked with the data siphoning by hackers.
Published in Dawn, August 29th, 2022