EDITORIAL: The outrage is not that Pakistan’s citizens have just discovered their personal data is for sale online, but that it has been allowed to remain so for years. Mobile SIM records, CNIC images, call logs and even travel histories are being hacked for as little as Rs500, leaving citizens, bureaucrats and even ministers exposed to harassment, fraud and blackmail. That this trade continues in plain sight, despite repeated promises of action, shows a governance failure that goes beyond weak technology. It reflects a state unwilling to enforce its own writ in the digital realm.

Everybody has been crying hoarse that data protection is integral to digitisation. Every speech about e-government, every plan for fintech, and every claim of digital inclusion has stressed that secure databases are the foundation of the modern economy. Yet here we are, with the very information that anchors identity, finance and communications being openly traded on websites that can be found with a simple Google search. If the modern world is built on data, Pakistan has left the keys in the ignition for anyone to drive away with.

The interior ministry has ordered an inquiry, a 14-member committee has been formed, and the National Cyber Crime Investigation Agency has been tasked with identifying culprits. But Pakistan has seen this sequence before. Committees produce reports, responsibilities are diffused, and the cycle repeats when the next breach is uncovered. The public is left with nothing more than platitudes while their data continues to circulate among criminals, scammers and hostile actors.

This is not an abstract concern. When identity records are compromised, citizens face very real dangers: fraudulent loans, extortion threats, blackmail with personal information, even targeting by criminal gangs. For senior officials and ministers, exposure of travel histories and call records carries direct national security risks. For ordinary people, it translates into misery, harassment and exploitation that they have no means to counter. A government that cannot protect its citizens’ data cannot claim to be protecting their lives and property.

The Pakistan Telecommunication Authority is at the centre of the storm. It has long claimed to block such websites, yet dozens of platforms continue to trade sensitive information without consequence. That speaks to either gross incompetence or wilful negligence. Regulatory bodies exist to anticipate threats, not to issue explanations after the damage has been done. If the PTA cannot deliver even basic enforcement of data privacy, its mandate and leadership must be urgently reviewed.

At last the PTA, after this incident, claims to have blocked such websites, and denied that this data breach is from the Telcos as the telecom sector does not have subscribers’ personal data such as family details, travels, etc. In its opinion, the leaked data appears to have been aggregated from multiple external sources.

Cyber-security experts have called this a systemic failure, and they are right. The weakness is not in one server or one ministry, but across the architecture of governance. Databases are built without encryption, access logs are not maintained, contractors are left unsupervised, and inter-agency coordination is absent. In such an environment, breaches are inevitable and accountability impossible. Reform requires more than an inquiry; it demands legal, institutional and technical overhaul.

That means enforceable data protection laws with real penalties, independent oversight that cannot be brushed aside, and mandatory audits for all entities handling personal data. It means transparent disclosure of breaches so that citizens know when their information is compromised and can take precautions. It means investing in cyber-security infrastructure with the same seriousness that is devoted to physical security. Above all, it means holding those responsible for regulatory lapses to account, not shielding them behind bureaucratic committees.

Pakistan’s path to digitisation is not optional. Banking, commerce, education and health are already moving from physical to online platforms. Without secure data practices, every initiative will be compromised at birth.

The irony is that the government promotes digitisation as a way to modernise, attract investment and expand services, yet by ignoring the foundations of data protection it undermines all three. Investors will not trust a market where customer data leaks freely. Citizens will not trust services that expose them to fraud. And the state will not be trusted if it cannot safeguard its own ministers’ records.

The breach that has now come to light is not the first and will not be the last unless decisive action is taken. Pakistan cannot afford a digital economy built on quicksand. Citizens deserve more than inquiries and promises; they deserve a state that treats their data with the seriousness it treats its borders. If data is the new oil, then its protection is the new sovereignty. Without it, digitisation is just a slogan, and every citizen is left unguarded in the modern age.

Copyright Business Recorder, 2025