FBR Takes Down its Websites for 24hrs in fear of Hackers

According to FBR employees and residents who attempted to use these websites, the three web portals of the tax machinery were down last Saturday night and Sunday, disrupting the process of payments of filing income tax reports.

According to officials, iris.fbr.gov.pk, the portal used to file returns, as well as e.fbr.gov.pk and fbr.gov.pk, its key linkages with taxpayers and the rest of the world, were shut down on the eve of Pakistan’s Independence Day.

The websites are expected to be functioning before the start of regular business hours on Monday (today).

“This is a standard maintenance effort,” Asad Tahir Jappa, FBR’s spokeswoman, responded while confirming that the websites were offline. He did not indicate when the FBR intended to operational these online sites.

Interestingly, the FBR took down its website for standard maintenance approximately ten days ago and appropriately informed the public through a notice.

“Building on its continuous drive for digitisation,” the FBR said in an August 5 statement, “the FBR is all prepared to modernise its main IRIS system in order to improve its functioning, increase its security, and introduce a new Graphic User Interface.”

“It is to tell you that the services of the IRIS System will be momentarily unavailable during this upgrade procedure from 10 p.m. on August 6 to 10 a.m. on August 7, 2022.” As a result, the inconvenience is regretted,” the statement said.

The FBR did not notify the public about the absence of availability of its services this time.

Last year, Pakistan’s top intelligence agency informed the FBR about the high likelihood of a cyber-attack, but the warnings were disregarded, resulting in the takeover or shutdown of around half of the FBR data centre’s virtual computers.

The incident occurred on August 15, 2021, when Indian hackers attacked the FBR data centre and took down all official websites maintained by the tax machines for more than 72 hours.

Unofficially, the FBR provided two versions of the hacking. According to one account, the hackers gained access to the system by stealing the data centre administrators’ logins and passwords. At the same time, FBR technical wing stated that the hackers gained access to the system via a Hyper-V link.

To conceal its incompetence, the FBR referred to the hacking as “unforeseen irregularities during the migration procedure.”

In September of last year, then-Finance Minister Shaukat Tarin acknowledged that Indian hackers had targeted the FBR’s website, and a similar type of Indian attack occurred in 2019.

Tarin stated that the FBR website’s level one was hacked, but the hackers could not access the database. It may have been compromised if the hackers had gained access to the FBR’s data.

Even though the previous administration dismissed the then-FBR chairman based on failing to defend the websites, the individuals responsible for the data centre’s security were never penalised. Ironically, several of them were later promoted or awarded awards.

The FBR and Pakistan Revenue Automation Limited (PRAL), the backbone of the FBR’s database, both blamed each other for last year’s hack.

The government decided to shut the websites despite hiring a chief information and security officer to secure the FBR’s data centres. This implies that the FBR does not consider its systems protected from cyber-attacks, thus revealing a gap that may be exploited during any big national event.