Data from ‘almost all’ Pakistani banks stolen!

  • Cyber-security service says at least 19,864 debit card details belonging to 22 Pakistani banks are being sold on dark web
  • SBP says only BankIslami suffered data breach, all other banks are safe

The Federal Investigation Agency (FIA) cyber-crime wing on Tuesday warned that security of all Pakistani banks has been compromised after data from “almost all” the banks was stolen in a recent security breach.

Speaking to a local media outlet, FIA Cybercrime Director Capt (r) Mohammad Shoaib said that data from almost all Pakistani banks has been reportedly hacked by cyber criminals.

The FIA director further said hackers based outside Pakistan had breached the security systems of several local banks and stole large amounts of money from people’s accounts. “It shows banks are in need of drastic security improvement,” he added.

The FIA has written to all banks for a meeting to look into ways the security infrastructure of banks, the FIA director said, adding, “Being custodians of the money people have stored in them, banks are also responsible if their security features are so weak that they result in pilferage.”

The banking sector has been rife with rumours of a possible cyber-attack after a digital security website said that data of over 8,000 account holders of about 10 Pakistani banks was sold in a market of hackers.

The first victim of this possible cyber-attack was BankIslami, that reported an attack on October 27 in which at least Rs2.6 million was stolen from international payment cards. Consequently, the bank stopped such transactions and allowed biometrically verified payments only on ATM cards within Pakistan.

The next day, the State Bank of Pakistan (SBP) issued directives to all banks to ensure that security measures on all information technology systems, including those related to card operations, are continuously updated to meet future challenges, ensure real-time monitoring of card operations related systems and transactions and immediately coordinate with all the integrated payment schemes, switch operators and media service providers.

Subsequently, at least at least 10 major banks of the country suspended international ATM transactions on debit cards, according to texts sent to their clients.


According to PakCERT’s Threat Intelligence report published on November 4, a total of 19,864 debit card details belonging to 22 Pakistani banks are being sold in the dumps circulating on the Darknet. This number does not include a small number of other compromised cards which were found in the dumps.

In the first dump released on Oct 26, a day before Bank Islami lost over Rs 2.6m, the majority of cards were of Habib Bank Limited (6,170), followed by the Bank of Punjab (748) and Standard Chartered Bank Limited (586).

In the second dump released on Oct 31, the majority of cards were of Habib Bank Limited (2,043), followed by United Bank Limited (1,381) and Meezan Bank Limited (1,375).


According to the report, hacked credit card data is available in two formats on dark web. “Text-based credit card details like full name, address, phone number, card number, expiry and CVV2, which can be easily used by someone for illegal online purchases.”

The second format is skimmed dumps, which means the hacker was physically able to scan the card details possibly at a compromised ATM or merchant machine, the report said. The skimmed card details are used to create a duplicate card which can then be used at an ATM or merchant machine for illegal transactions.

Initially, there were rumours of BankIslami servers being hacked but looking at the number of total compromised cards and that too belonging to 22 different banks, it is evident that several compromised ATMs or merchant machines were involved in the skimming, the report claimed.


However, the SBP “categorically” rejected the reports circulating in the mainstream media, saying, “There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency.” According to the central bank, with the exception of BankIslami, no breach has been reported.

In a comment on the temporary suspension of the international transaction by the number of banks, the SBP said.

“All these temporary, restrictions would be lifted once appropriate IT security measures are in place. It is stressed, that all restrictions pertain only to cross-border transactions, and no bank has instituted any restriction on domestic transactions,” the SBP assured.