Pakistan’s National Cyber Emergency Response Team (National CERT) has issued a cybersecurity advisory for all entities handling Personally Identifiable Information (PII) of citizens.
The advisory calls for immediate and systematic measures to strengthen data protection amid rising incidents of breaches, identity theft, and misuse of personal information.
The directive applies to any organisation that collects, stores, processes, or transmits PII, including government bodies, private firms, and hybrid or cloud-based systems. National CERT said weak internal controls, outdated systems, unencrypted data, and poor cyber hygiene increase vulnerability to financial fraud, operational disruption, reputational damage, and legal consequences under laws like PECA 2016.
Entities managing sensitive data such as CNIC numbers, health records, or financial information are particularly exposed to exploitation by criminals or hostile actors. The advisory instructs organisations to classify data by sensitivity, enforce access controls, encrypt information during storage and transmission, maintain updated software, and implement secure development practices.
Organisations are also expected to keep PII only as required by law, establish breach response protocols, and audit third-party vendors handling personal data. Over time, they should adopt zero-trust frameworks, ensure disaster recovery readiness, and train staff on cyber risks.
Individuals are advised to safeguard personal information by sharing CNICs or documents only when necessary and clearly marking their intended use, for instance, “For SIM registration only.” Users should create strong, unique passwords, enable multi-factor authentication, avoid oversharing online, and refrain from installing apps from unofficial sources.
National CERT stressed that protecting personal data is a strategic imperative for both organisations and citizens. The authority called for proactive measures to secure digital infrastructure, prevent breaches, and maintain trust in Pakistan’s cyber ecosystem.
