ISLAMABAD: The Federal Tax Ombudsman (FTO) has raised serious concerns over the Federal Board of Revenue’s (FBR) digital infrastructure, revealing that the organization’s entire IT system has been compromised and remains under the control of cybercriminals. According to an official order issued by the FTO, hackers have gained unauthorized access to critical databases, enabling them to manipulate data, delete records, and generate fake transactions without detection. The findings underscore a critical cybersecurity crisis within one of Pakistan’s most vital institutions responsible for tax administration and financial oversight.
The complaint leading to this revelation was initially filed under Section 10(1) of the Federal Tax Ombudsman Ordinance, 2000, regarding the unlawful suspension of a taxpayer’s sales tax registration (STRN). During the investigation, additional issues surfaced, including repeated hacking incidents, unauthorized use of IDs and passwords, deletion of original invoices, and insertion of fake sales tax entries. The FTO concluded that these persistent breaches reflect systemic weaknesses that have left FBR’s IT framework defenseless against exploitation. The order noted that the system’s vulnerabilities, such as data manipulation, backdoor entries, and the absence of proper monitoring, have allowed cybercriminals to operate freely without any accountability or traceability.
The FTO’s findings further highlighted that despite consistent attempts by the complainant to secure their account credentials, unauthorized access continued on a monthly basis, with the latest incident recorded in July 2025. The repeated compromise of credentials points toward possible insider involvement, particularly from within PRAL, the company managing FBR’s digital operations. According to the report, this insider access may have facilitated unauthorized activities and data manipulation, raising serious concerns about internal governance, data protection protocols, and accountability measures. The order emphasized that these internal weaknesses must be addressed urgently to prevent further damage to the national tax infrastructure.
In addition to technical vulnerabilities, the FTO identified multiple procedural and control failures, including weak internal oversight, inadequate system alerts for suspicious activity, insufficient reconciliation between input and output taxes, and a lack of quantitative verification mechanisms. These gaps have reportedly enabled the creation of fraudulent transactions and unauthorized profile changes within the taxpayer database. Furthermore, potential collusion between certain taxpayers and FBR or PRAL employees has been cited as a factor worsening the exploitation of system vulnerabilities. The FTO has called for immediate action to safeguard data integrity, strengthen security protocols, and ensure that those responsible for these failures are held accountable.
The disclosure has brought renewed attention to the urgent need for robust cybersecurity measures in Pakistan’s public sector institutions, particularly those managing sensitive financial data.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
