FTO Reveals FBR IT System Compromised, Exposes Major Security Flaws

Imagine a small business owner logging into the tax portal, confident that their financial information is secure, only to be shocked by a sudden notification of a major discrepancy in their tax filings a discrepancy they know nothing about. This unsettling scenario is emblematic of a broader threat facing taxpayers in Pakistan. The Federal Tax Ombudsman (FTO) has issued a critical order, stating that the Federal Board of Revenue (FBR) operates an IT infrastructure that is effectively controlled by cyber-criminals.

Breach details

According to the FTO’s order:

• The IT infrastructure of the Federal Board of Revenue (FBR) has been subject to recurrent breaches that remained undetected over substantial periods, enabling malicious actors to compromise the integrity of taxpayer information. For instance, in one breach scenario, attackers initiated an unauthorized login using stolen credentials obtained from a phishing campaign targeting FBR employees. Once inside, they altered a taxpayer’s record by changing the tax liability amount, falsely reducing it to a negligible sum. This change was masked by modifying the audit logs to obscure any trace of the unauthorized access. Such breaches permit unauthorized manipulation of sensitive data, including the alteration of taxpayer records, modification of authentication credentials, and submission of falsified tax returns. The technical significance of such breaches lies in their capacity to undermine the authenticity and reliability of core tax administration processes, thereby eroding the foundational mechanisms of auditability, accountability, and trust within Pakistan’s tax collection system.
• A complaint initiated over the illegal suspension of a sales tax registration uncovered further irregularities, including “back-door entries” and unauthorized changes to taxpayer profiles.
• The FTO flagged weak internal controls: inadequate alerts for anomalous activity, poor reconciliation between tax data and invoices, and potential collusion by insiders, particularly within Pakistan Revenue Automation Limited (PRAL), the FBR’s IT wing.
• The order contends that despite efforts to catch the culprits — including repeated monthly changes of a complainant’s login credentials unauthorized access persists, with the latest incident traced to July 2025.

Implications and concerns

These findings critically undermine confidence in the operational integrity and regulatory robustness of Pakistan’s tax-collection infrastructure, highlighting systemic vulnerabilities that not only jeopardize fiscal administration but also necessitate urgent policy intervention and regulatory reform to address security deficiencies.

• Compromised taxpayer data and manipulated records could undermine revenue collection, hinder audits, and facilitate large-scale tax fraud.
• The fact that an ombudsman concludes the system is “under the control of cyber-criminals” is striking.
• Potential insider collaboration suggested in the FTO’s order adds complexity to the investigative challenge.
• For businesses and taxpayers, the breach erodes trust in digital systems and raises fears about data exposure and unfair assessments.

FBR’s stance

The FBR has publicly rebutted some of the news reports, rejecting certain claims of a “major cyber-attack” and describing the reportage as inaccurate.
However, the FTO’s order stands as a formal administrative finding that the system is deeply flawed.

What happens next

The FTO has directed the FBR to submit a comprehensive report within 60 days, naming the Chief Commissioners-IR and other senior officers across regional tax offices for explanation inaction.
We can expect:

• Internal investigations inside FBR/PRAL, possibly criminal referrals.
• Re-assessment of procedural and technical controls within FBR’s IT network—such as audit logs, access controls, anomaly-detection.
• Heightened scrutiny by taxpayers and stakeholders over data integrity, system reliability, and the fairness of tax assessments.
• Potential regulatory or legislative responses to strengthen oversight of tax-automation systems and safeguard against insider threats.

In an era where government revenue is under pressure and digital systems are core to business processes, a breach of this magnitude does more than just hit the FBR. It shakes confidence in the broader digital economy and calls into question the state of cyber-resilience in Pakistan’s public sector.