-
Unknown hackers have compromised the Capital Development Authority’s property and water billing system, holding data hostage for three days and counting.
-
The attackers are threatening to upload stolen CDA data onto the dark web unless the authority pays a ransom in Bitcoin.
-
CDA’s spokesperson has confirmed that all backup data remains safe, and technical teams are working to restore the online billing system as quickly as possible.
Unknown hackers just breached the property of the Capital Development Authority (CDA) alongside the water billing infrastructure in Islamabad, demanding a ransom in Bitcoin and leaving city managers scrambling for three consecutive days, Dawn has learnt.
The attackers reportedly hold data related to property charges, conservancy fees, and water billing, and are threatening to publish the stolen records on the dark web if the authority refuses to pay.
Days Gone By Already Since the Compromise, Pakistani Official Reveals
The timing makes the attack particularly disruptive. June marks the financial closing month for the authority, when a large number of residents typically settle their outstanding property and tax dues.
According to an official from CDA’s revenue directorate, the systems have remained compromised for three days straight, precisely during this high-traffic payment window.
The revenue directorate, NRTC (the vendor to CDA), and the Department of Information Technology are making every effort to retrieve the data. The same official expressed hope that the situation would reach a resolution by Friday.
Several citizens confirmed the disruption to Dawn, reporting that CDA’s online payment links remained inaccessible. The CDA website itself stayed functional, but the portal’s bill payment feature was unavailable as of 9 pm Thursday, leaving residents unable to clear their dues through official digital channels.
Ransomware Hits as Islamabad Closes Its Financial Books
The CDA maintains comprehensive records covering all residential and commercial properties within city limits, including allotted plots and developed units. Properties in rural surrounding areas fall under the revenue department of the district government. The breach, therefore, strikes at the heart of the authority’s administrative and financial operations at one of its busiest periods of the year.
This attack does not arrive in isolation. In 2024, internet gangs from India reportedly hit the CDA platform and published data on the “dark web.”
Such cross-border cyberattacks have prompted international legal action, including recent efforts by Google to sue foreign hackers and push for stronger legal frameworks.
The authority restored the website within days, but the incident sent shockwaves through the civic body and drew attention at the federal government level.
The Prime Minister’s Office took notice of that breach, and the CDA board subsequently authorized the authority to engage a cybersecurity firm under a running contract to protect its digital infrastructure going forward.
An official from CDA’s IT wing confirmed that the authority did bring on a cybersecurity firm following the 2024 incident. However, a separate official claimed that CDA and its vendor had maintained no backup data for the past six months, a claim that CDA spokesperson Shahid Kiani firmly rejected.
CDA Says Backups are Safe, Payments Were Not Affected
According to Shahid Kiani, Pakistna CDA’s billing system covering property charges, conservancy fees, and water accounts is currently under active cyberattack. He maintained, however, that all backup data remains fully secure on the authority’s servers.
Kiani stated that technical teams are actively recovering all billing-related data from secure backup servers to ensure no permanent loss occurs, and that the online system will return to full functionality very soon.
Kiani also moved to reassure residents who had already completed online payments before the disruption. He clarified that all transactions processed through the 1-Link system or other authorized online banking channels remain completely safe and are unaffected by the breach.
The attack raises uncomfortable questions about the resilience of Pakistan’s civic digital infrastructure, especially given that a cybersecurity firm was already in place following last year’s breach.
That a second significant attack has occurred within roughly twelve months suggests that the protections put in place after 2024 may not have gone far enough. For now, residents hoping to clear their bills before the June deadline will have to wait, while CDA’s technical teams race to bring the system back online and contain whatever damage the attackers have already done.
