The National Database Registration Authority (NADRA), a federal institution that is the custodian of Pakistan’s official database of registered citizens, is set to finalise an inquiry identifying those behind a data leak involving the personal details of immediate family members of incumbent chief of army staff (COAS) Gen. Syed Asim Munir. The illegally-accessed information was reportedly used in an attempt to block Gen. Asim Munir’s appointment as army chief in November 2022. The inquiry into the data leak was ordered by chairman NADRA Tariq Malik.
See below NADRA’s detailed response
According to senior journalist Azaz Syed, in October 2022, a junior data entry operator at a NADRA facility in Kohlu, Farooq Ahmed, allegedly accessed the data of then-Lt. Gen. Asim Munir’s wife, and collected the family’s passport details and identity card numbers. Gen. Asim Munir’s family data was later input in the Federal Investigation Agency’s (FIA) Integrated Border Management System (IBMS) to track the international travel destinations of the family.
At the same time, five senior lieutenant generals of the Pakistan army were contending for the post of army chief.
The intent, according to Azaz Syed, was that it could be proven that Syed Asim Munir, then a senior lieutenant general, or his family had traveled to Iran and “converted to Shia Islam“. Such allegations would be used to create suspicion in the eyes of Saudi Arabia, a close ally of Pakistan, regarding the senior army officer. Azaz Syed linked this to the ‘leaking’ of certain information to the Saudi defence attaché, who then transmitted it back to Riyadh.
Azaz Syed reiterated that Gen. Asim Munir had already served in Saudi Arabia, so the Saudi government was obviously surprised at this information. Moreover, Gen. Asim was known to not have a ‘sectarian mindset’, but Azaz Syed clarifies that this entire ruse was manufactured “as a method was adopted to prevent the appointment of the army chief, and Saudi Arabia was given the wrong information”. The Saudi government then contacted prime minister Shehbaz Sharif, who “checked that information from his system”. Once the checks were complete, “a new report was furnished, and the Saudi government was informed that the earlier information given by the defence attaché is erroneous”.
Azaz Syed purports that the misgivings generated by these false reports were the actual reason behind the delay in appointing Gen. Syed Asim Munir as chief of army staff (COAS) during late November 2022.
Prime minister Shehbaz Sharif thereafter launched an investigation into the sharing of false reports of such a serious nature with an allied government, which was the key to uncovering this entire conspiracy. Since the roots of this nefarious initiative were planted at NADRA, an inquiry was started and six officials – Farooq Ahmad (junior executive), Rehman Butt (deputy director), Rasheed Ahmed (assistant director), Saif Ullah (deputy assistant director), Sajid Sarwar (assistant superintendent), and Muhammad Ali (deputy assistant director) – were suspended immediately.
According to Azaz Syed, these junior officials have furnished evidence that they were ordered by their superiors to generate reports containing the data, and it was possible that they did not know whose data they were retrieving from the NADRA database, or why. It should be noted that these six junior staffers have still not been restored to their positions, and were summarily suspended by NADRA on December 14 at the start of the inquiry.
During the inquiry, two senior officers of NADRA, Khalid Anayatullah (director general) and Amir Bukhari (director), were identified as “key players” behind accessing the personal data of the army chief and his immediate family members. Both officers allegedly named close relatives of other senior generals – who were also contenders for the army chief position in October 2022 – as those who requested this data. Azaz Syed said that both NADRA officers were cooperating with the inquiry, and that the people who came to them requesting this data, did so “in their personal capacities”.
Initially, the NADRA inquiry into the data leak was supervised by Brigadier (retd) Khalid Latif. He was later found to be a close aide and confidante of retired Lt. Gen. Faiz Hameed, one of the contenders for COAS at the time. Latif has subsequently been replaced by senior NADRA officer Ali Javaid, who is reported to be upright and of honest repute.
It is reported Latif and three other military personnel had recently been given an opportunity to resign in order to avoid inquiries, and perhaps punishment as well. Latif resigned his commission as a brigadier of the Pakistan army, but is again under scrutiny for his activities which appear to have benefited his erstwhile patron Faiz Hameed.
A former spymaster and ex-chief of Pakistan’s Inter Services Intelligence (ISI) agency, Lt. Gen. (retd) Faiz Hameed has been widely suspected of orchestrating a network of well-placed officials in the intelligence, military, bureaucratic, and even judicial apparatus to do his bidding. According to reports that have been made public, this network was operating even when Hameed himself was not heading Pakistan’s premier intelligence agency. This network allegedly drummed up his candidature as potential army chief when he was a corps commander in Bahawalpur. This network is also alleged to have been functional even after Faiz Hameed retired from the army.
Once presumed to be the favoured choice of former prime minister PTI chairman Imran Khan for the post of Pakistan’s army chief, Lt. Gen. (retd) Faiz Hameed sought early retirement from the army last year – the application was swiftly approved. He has since been accused of amassing wealth beyond his known sources of income. PMLN chief organiser Maryam Nawaz has called for Faiz Hameed to be tried and court martialed under army regulations.
According to Azaz Syed, the ongoing inquiry is expected to expose the faces inside NADRA and elsewhere whose fingerprints are all over this conspiracy against army chief Gen. Asim Munir. However, the actual ‘masterminds’ inducing or forcing these officers to undertake these illegal activities might never face public punishment. But the names of former chief of general staff (CGS) Lt. Gen. (retd) Azhar Abbas, and former DG ISI Lt. Gen. (retd) Faiz Hameed, have so far “cropped up in the inquiry,” as per Azaz Syed.
A top NADRA official has confirmed that an inquiry is taking place into the leak of details associated with family members of Gen. Asim Munir, but refused to reveal any details, citing the sensitive nature of ongoing investigation.
April 1, 2023
Source: The Friday Times, The News International
COAS data accessed with illegitimate motives: Nadra
Chief of Army Staff (COAS) General Asim Munir. — Twitter/@OfficialDGISPR/File
Chief of Army Staff (COAS) General Asim Munir. — Twitter/@OfficialDGISPR/File
ISLAMABAD: After the publication of a detailed story in The News on Sunday by this correspondent, Nadra has issued a detailed statement confirming the data theft of Army Chief’s family. It also said that Nadra Chairman Tariq Malik was away on leave abroad when this incident took place, however, there is still a missing point why the junior staff of the organisation was suspended and still facing the consequences of the alleged crime carried out by some bigwigs. Below is the detailed version of Nadra:
About the news item published in The News captioning “Nadra finalises probe into illegal access to COAS family’s data’ dated April 02, 2023, it is to clarify that the subject probe into illegal access to COAS family’s data is a continuation of Nadra’s stringent measures to protect the citizens’ data from unauthorised access, when he sought help from premier security agency upon assumption of charge as chairman Nadra in June 2021.
Nadra provides identity verification services to various sectors, including financial institutions, the telecommunication industry, government institutions and law enforcement agencies for their legitimate usage. All of these institutions are accessing the verification services of Nadra under a legally signed contract, including a non-disclosure agreement.
Sadly, multiple users of different organisations had accessed the data of General Asim Munir before he was appointed Chief of Army Staff (COAS), which seemingly was done with illegitimate motives. Other than Nadra, nine institutions including law enforcement agencies, banks and housing authorities accessed the COAS’s family data.
About the ongoing inquiry, COAS’s family data was accessed in absence of Nadra Chairman Tariq Malik, who was on ex-Pakistan leave (on official assignment) in November 2022.
It is pertinent to further mention that Nadra Chairman Tariq Malik started an exercise to check who unauthorisedly had an access to his own personal data. It transpired through data analytics that 24 users accessed his personal data in November 2021. The scope of this exercise was then broadened to all the notable politicians, office holders and prominent public figures in early 2022. This led to a startling revelation that various institutions including law enforcement agencies, banks and housing authority accessed unauthorisedly the personal data of leading politicians and government functionaries.
Keeping data breach in view, Tariq Malik immediately put an end to a prevalent practice of unnecessarily checking citizens’ data unauthorisedly by taking certain measures. Safeguarding citizens’ data at best and preventing any illegal or unauthorised access to it, Nadra has rolled out an unprecedented Data Protection Regime i.e. a multi-layered control mechanism along with a host of other measures for the security and protection of citizens’ data. Besides that, all other institutions were also informed about the breach of data from respective platforms and urged to take necessary action in a bid to avoid such unwarranted incidents in future.
Consequently, zero tolerance policy protocol was implemented for adherence at all levels of the authority. It is pertinent to mention that on assumption of charge in June 2021, Tariq Malik voluntarily gave up the “super access” to the citizens’ personal data and implemented an IA-based automated auditing software to keep an eye on 22 thousand employees of Nadra.
In this regard, Tariq Malik had forewarned all the employees of the authority with respect to data protection regime through official communication respectively on 18th November 2022, 19th December 2022 and 3rd February 2023. The employees were duly informed that Artificial Intelligence-based system had been implemented to protect citizens’ data by monitoring the behaviour and working of all employees at work place. Unauthorised access to citizens’ data is a non-bailable offense under Section 28 of Nadra Ordinance 2000 punishable with imprisonment of 5 years, fine of 1 million or both.
This system had, at various times, effectively thwarted attempts by employees to gain unauthorised access to citizens’ personal and family information by means of proactive auditing software and security checks.
The auditing software resultantly held to identify more than three thousand employees’ user access which had been reviewed and withdrawn. This helped to initiate inquires against 377 employees terminating 131 employees who unauthorisedly accessed the citizens’ data. Stern action as per Government Servants (Efficiency & Discipline) Rules 1973 will also be taken against all in this regard.
Further strengthening the mechanism of data protection, Nadra introduced a multi-biometric verification system on 23rd December 2022 to obviate the fraudulent issuance of cellular sims and to make the illegal use of fake fingerprints impossible.
In another significant development to protect the privacy of citizens data in the wake of March 2023, Nadra launched ‘Ijazat Aap ki’ service, a revolutionary initiative that outs citizens in charge of their own personal data. The cutting-edge service empowered citizens to give their consent before verification of the CNIC, ensuring that their sensitive data is protected and secure at all times.
Reinforcing Nadra’s commitment to maintain security and integrity of citizens’ data and validating the security built into the application design & processes, Tariq Malik revived its information security department, which was earlier made dysfunctional in 2014. Such initiative helped the authority to implement Defense in Depth as security strategy that leverages security measures at different layers to protect an organisation’s digital assets. Security by default (SbD) and privacy by design (PbD) protocols are two fundamental strategies at the heart of authority’s product and service development life cycle.
Following this commitment, Nadra achieved ISO 27001 certification for its security and privacy implementations in December 2023.
While walking an extra mile, Nadra Chairman Tariq Malik wrote a letter to the President of Google (Asia Pacific) in February 2023 and expressed his concern about the personal data of residents of Pakistan being illegally put on sale by fraudulently impersonating the authority. In response, Google has so far removed 22 illegitimate apps (selling/phishing personal data) and websites.
As regards to the ongoing probe into the COAS family’s data, the Nadra chairman ordered the inquiry which is in the closing phase. The culprits from DGs to the data entry operator have been identified. The inquiry will soon be taken to a logical conclusion.
April 3, 2023
Source. The News International