Cyber Incident Victim: Securities and Exchange Commission of Pakistan

In August 2022, the Securities and Exchange Commission of Pakistan (SECP) experienced a significant data breach involving unauthorized access to sensitive corporate records. The compromised database contained private information belonging to CEOs of registered companies, including national identity card details, email addresses, residential addresses, and financial records. As Pakistan's primary corporate regulator, SECP serves as custodian for extensive public and private company data, making the breach particularly consequential for corporate confidentiality and regulatory integrity. Internal tensions escalated when Commissioner Mujtaba Ahmed Lodhi alleged she had not been informed about the incident by SECP Chairman Aamir Khan, despite her oversight responsibilities for information technology systems. This disclosure failure prompted Lodhi to formally request an independent investigation through a letter to Finance Minister Miftah Ismail, citing concerns about transparency and accountability in breach management.

The breach's scope impacted directors and financial entities regulated by SECP, exposing personally identifiable information that could facilitate identity theft or financial fraud. No technical details regarding attack vectors, threat actors, or data exfiltration methods were disclosed publicly. SECP leadership attempted to downplay the incident's severity, triggering further institutional conflict between operational divisions and oversight roles. Lodhi's appeal for external intervention highlighted governance challenges in incident response coordination. Consequences included potential reputational damage to Pakistan's corporate regulatory framework and risks to affected individuals whose sensitive data circulated outside authorized channels. The absence of public statements regarding containment measures, victim notifications, or forensic investigations left critical response actions undocumented in available reporting.