240 Million Pakistanis’ Personal Data Listed for Sale on Dark Web

Sensitive data for millions of Pakistan citizens (240 million to be specific as per the reports) has reportedly been listed for sale on the dark web, brewing a potential major national security crisis in the country. Pakistan Muslim League-Nawaz (PML-N) Senator Afnanullah Khan revealed this dreadful information during a meeting of the Senate Standing Committee on Interior.

He claimed that the displayed samples for sales on the dark web is an all-encompassing data from NADRA (National Database and Registration Authority), FBR (Federal Board of Revenue), and several banks. Shockingly, the senator revealed that anyone can buy the digital identity of a Pakistani citizen for as little as 500 Pakistani Rupees.

The situation points to a catastrophic breach of state-held information. Senator Khan emphasized the severity, asserting that data theft of this magnitude can only happen with the involvement of an insider of the department.

This pattern of potential insider compromise is not limited to state databases, as seen in other major breaches targeting Pakistani infrastructure. This allegation of insider complicity has intensified fears and cast a shadow over the country’s primary data custodians.

A Brazen Case of Impersonation: Fraudster’s Exploit of a Lawmaker’s Identity

The chilling real-world example presented at the same hearing illustrated the theoretical risks of this data leak. A lawyer who serves as a consultant to the Attorney General’s office has reported his own instance of significant identity fraud.

This consultant indicated that in 2023, an individual created a counterfeit passport in Pakistan using information obtained through the illegal acquisition of his ID. The imposter was then able to use that fake passport to enter India.

As a result, the crime caused the real victim severe emotional distress. After criminals stole his identity, he had to take his parents to NADRA to verify his identity and prove that he was a legitimate citizen of Pakistan.

This incident indicates not only the extent of the data theft taking place, but also the serious risk involved when people have access to false identity records that allow them to travel across borders without any consequence. This vulnerability aligns with wider warnings about Pakistani criminal networks exploiting digital tools, as reports indicate traffickers are using dark web markets and e-commerce techniques to facilitate illicit global operations.

A Recurring Pattern: Historical Precedents of Official Data Breaches

This latest breach is not an isolated event and is part of a much greater number of repeated instances of security breaches and information leaks related to the individual information of Pakistan. With multiple cases of such data breaches, the senator’s concerns regarding the data breaches have merit.

Here are some of the documented data breaches:

• The Hajj Pilgrimage data leak (September 2025): A few months ago, Major General (retd) Hafeez Ur Rehman, chairperson of the Pakistan Telecommunication Authority (PTA), informed the Senate Standing Committee on IT that criminals had found the personal information of approximately 300,000 Hajj applicants on the dark web. The chairman, in his initial statement, believed the urgent need for an inquiry into the identity of these hackers or the source.
• Official acknowledgement of several reported incidents: In a recently conducted hearing, the Director-General of Immigration and Passport issued a statement that his department has received information regarding “several instances of forgery” sent by NADRA, demonstrating that this is a recognized ongoing concern in Pakistan.

The continued occurrence of such incidents points to a systemic problem in how government agencies and commercial banks in Pakistan store, access, and share citizens’ sensitive information.

Official Response and Latest Moves to Curb Data Leaks

Under mounting pressure, authorities outlined several steps to control the crisis and prevent future identity theft:

• The formation of a new cybersecurity authority: The Minister of State for Interior, Talal Chaudhry, revealed that the Government has started laying out a new cybersecurity authority. This new authority will represent a centralized point through which the Government can better protect itself from any cyber/digital threats.
• The director-general of immigration and passports (DG IP) announced that they have developed a monitoring dashboard to screen applications and identity information, aiming to prevent fraudulent travel attempts.
• The government’s promise of increased security: The DG IP stated that there’s a guarantee that its longer possible for anyone to obtain a fake passport in the country. NADRA developed new technological enhancements, and Passport Offices have implemented them since the 2023 incident, prompting these assurances.
• Shifting the blame: In a controversial statement, the DG claimed that “people share their passport and identity card details via WhatsApp, and leaks can occur from there.” Analysts have met this explanation with skepticism, arguing that it shifts responsibility away from institutional security failures.

The major development in Pakistan’s digital security landscape is the recent discovery that a large amount of sensitive information is being traded on the dark web. The Government has formed a cybersecurity authority, but it continues to be cautious about the effectiveness of this action in practice.

The fact that a senior attorney has had his identity stolen so brazenly is indicative of just how dangerous these leaks can actually be. The public should take this incident as a serious lesson regarding how valuable their digital identities are and how exposed they may be in an interconnected world.