The recent breach at National Institutional Facilitation Technologies (NIFT), the prominent Payment System Operator and the only Automated Cheque Clearing House in Pakistan, has turned out to be more severe than initially reported; hackers successfully infiltrated NIFT’s data centers, leading to the loss of terabytes of data. Moreover, the hackers from the NIFT breach have now issued a threat to release the ePay source code, raising concerns about data security and privacy.
NIFT Breach: Hackers Gain Access to Sensitive Data
Within moments of the breach, hackers were able to download a significant amount of data, including scans of all the cheques stored in the NIFT database. Moreover, the hackers claim to have obtained and downloaded the ePay source code, which was stored on one of the platform’s common servers. In a recent communication, the hackers declared their intention to make the ePay source code publicly accessible in the near future. The breach also exposed personal information, such as merchant data, audit logs, and scanned passport documents, stored in a supposedly confidential folder.
Concerns over NIFT’s Security and State Bank’s Oversight
The breach has shed light on the vulnerabilities of NIFT’s security infrastructure and has raised questions about the effectiveness of the State Bank of Pakistan’s auditing process. Although NIFT has claimed that only limited customer data of an operational nature may have been compromised, the incident underscores the need for stronger security measures. Commercial banks have complained about delays in the clearance of checks due to the restoration of the manual clearing system in the digital age; the existing architecture of the country’s sole Automated Cheque Clearing House and Payment System Operator appears insufficient to safeguard customer privacy adequately.
A spokesperson from the State Bank of Pakistan (SBP) stated that the bank is in contact with NIFT and has requested the institution to submit a plan outlining future safety measures to prevent the recurrence of such events. “A detailed assessment in this regard is still ongoing. The effort is being spearheaded by a top-tier independent security assessment firm hired by NIFT and is being supervised closely by the SBP,” said NIFT.
Also read: Cabinet Division Warns of Hackers Stealing Data via Fake Emails Targeting Government Employees
