FTO Warns FBR: Entire IT System Under Control of Cybercriminals. The Federal Tax Ombudsman (FTO) has issued a serious warning to the Federal Board of Revenue (FBR), stating that its entire IT system is allegedly under the control of cybercriminals. According to the FTO order, severe security vulnerabilities have made the system susceptible to data manipulation, unauthorized transactions, and insider exploitation.
This alarming situation raises concerns about data integrity, taxpayer security, and the overall credibility of FBR’s IT infrastructure. Immediate corrective measures are crucial to prevent further misuse and financial losses.
Key Findings of FTO Report
The FTO report highlights multiple system weaknesses that have allowed cybercriminals and possibly insiders to manipulate the FBR’s IT network.
| Issue | Description |
|---|---|
| System Collapse | IT system allegedly under complete control of cybercriminals |
| Unauthorized Access | Ability to hack taxpayer IDs without leaving a trace |
| Data Manipulation | Fake transactions and altered taxpayer profiles |
| Insider Threats | PRAL employees may be colluding with external hackers |
| Weak Internal Controls | Poor safeguards against tax fraud and unusual activity |
The FTO emphasized that even after repeated complaints about ID password hacking, the security breaches continue, reflecting poor data protection measures.
FTO Statement on Cyber Threats
The FTO noted that repeated hacking of the same taxpayer’s ID password occurred during the tax period of July 2025. Despite extraordinary efforts to identify the culprits, the misuse persisted, suggesting possible insider involvement, especially from Pakistan Revenue Automation Limited (PRAL) staff.
The report also highlighted:
- Compromised data integrity
- Inadequate safeguards for financial transactions
- Weak reconciliation and monitoring systems
- Collusion risk between taxpayers and employees
These vulnerabilities enable fake invoice creation, unauthorized profile changes, and tax fraud.
Critical System Weaknesses
The FTO report categorized the IT system weaknesses into major areas:
| Weakness | Impact |
|---|---|
| Compromised Data Integrity | Manipulation of tax records and invoices |
| Inadequate Security Controls | Hackers can operate without detection |
| Poor Internal Audit | Lack of alerts for unusual activities |
| HS Code Matching Issues | Errors in input/output tax reconciliation |
| Unauthorized Profile Changes | Facilitation of fake transactions |
| Insider Collusion Risk | PRAL employees may be assisting cybercriminals |
These flaws make the IT system highly vulnerable, requiring urgent intervention.
Legal and Operational Directives
The FTO directed FBR to take immediate steps to protect the IT infrastructure and ensure accountability. Some key actions include:
- Directing Chief Commissioners-IR at RTOs and CTOs across Pakistan to initiate legal proceedings against beneficiaries of tax fraud.
- Compliance with Sales Tax SOPs: Enforcing Sales Tax General Order No.12 of 2023, focusing on flying and fake invoices.
- Accountability Measures: Member Ops-IR must explain to concerned Commissioners why appropriate actions were not taken.
- Apprehension of Masterminds: Shiraz Ahmed, Niaz Ahmed, and other identified cybercriminals must face legal action.
- Stop ID Hacking: Immediate measures to stop continuous monthly hacking of complainants’ passwords.
- Reporting: FBR must submit a comprehensive report within 60 days to the FTO.
Potential Consequences
Failing to address these vulnerabilities can result in:
| Consequence | Description |
|---|---|
| Financial Loss | Losses due to tax fraud and fake invoices |
| Legal Penalties | Legal action against FBR employees or colluding taxpayers |
| Reputational Damage | Reduced public trust in FBR’s digital systems |
| Operational Breakdown | IT system collapse impacting taxpayer services |
| Cybercrime Exposure | Hackers could continue exploiting system gaps |
The FTO warned that both cybercriminals and potential insiders must be identified to restore security and taxpayer confidence.
FBR’s Immediate Responsibilities
According to the FTO order, FBR must:
- Strengthen IT security and data integrity.
- Conduct internal audits to detect unusual activities.
- Monitor PRAL staff with system access for possible collusion.
- Ensure timely action against tax fraud perpetrators.
- Provide regular updates to FTO within 60 days.
These steps are essential to prevent future security breaches and ensure the system operates safely for all taxpayers.
What Taxpayers Should Know
Taxpayers dealing with FBR’s IT system must remain cautious:
- Monitor account activity regularly for unusual transactions.
- Report unauthorized access immediately.
- Maintain secure passwords and avoid sharing credentials.
- Stay updated with official FBR announcements regarding IT security.
Taking these precautions can reduce the risk of being affected by cyber attacks or insider collusion.
Conclusion
The FTO warning underscores that FBR’s IT system is at a critical risk of cybercriminal control. Weak internal controls, insider threats, and poor data integrity make the system vulnerable to tax fraud, fake invoices, and unauthorized transactions.
Immediate steps, including strengthening cybersecurity, legal action against cybercriminals, and monitoring internal staff, are vital to restore confidence in Pakistan’s taxation system.
The FBR must comply fully with FTO directives, ensure security, and submit a comprehensive report within 60 days to avoid further operational and reputational damage.
FAQs About FTO Warns FBR
1. What did the FTO warn FBR about?
The FTO warned that FBR’s entire IT system may be under the control of cybercriminals and is highly vulnerable to manipulation.
2. Who are potential insiders in this case?
PRAL employees with direct system access are suspected of colluding with cybercriminals.
3. What are the risks of a compromised IT system?
Risks include tax fraud, fake invoices, financial loss, and reduced trust in FBR services.
4. What actions must FBR take immediately?
FBR must strengthen cybersecurity, stop ID hacking, take legal action against fraudsters, and report to FTO within 60 days.
5. How can taxpayers protect themselves?
Monitor accounts, use strong passwords, report suspicious activity, and follow official FBR updates.
