FTO Warns FBR: Entire IT System Under Control of Cybercriminals in 2025. In a shocking revelation, the Federal Tax Ombudsman (FTO) has warned the Federal Board of Revenue (FBR) that its entire IT system is under potential control of cybercriminals. This alarming report highlights severe vulnerabilities that could compromise taxpayer data, facilitate fraud, and disrupt Pakistan’s revenue operations. In this article, we explore the details of the FTO order, system weaknesses, potential insider threats, and recommended actions to secure the FBR’s digital infrastructure in 2025.
Overview of the FTO Warning to FBR
The FTO’s latest order, issued in October 2025, emphasizes that FBR’s IT infrastructure has collapsed, allowing unauthorized access and manipulation by cybercriminals. Key points include:
- Continuous hacking of taxpayer accounts
- Possible involvement of insiders with access to PRAL systems
- Weak internal controls and inadequate safeguards against tax fraud
- Lack of alerts for unusual activities and poor reconciliation of HS codes
These issues indicate systemic vulnerabilities that threaten both data integrity and revenue collection efficiency.
Critical IT System Vulnerabilities
The FTO report outlines several weaknesses in FBR’s IT framework:
Compromised Data Integrity
The system allows unauthorized modifications in taxpayer profiles, resulting in fake invoices and fraudulent transactions.
Weak Security Controls
Inadequate password management and a lack of multi-factor authentication enable cybercriminals to access sensitive accounts repeatedly.
Insider Threats
Evidence suggests collusion between FBR employees and taxpayers to exploit system flaws.
Poor Quantitative Reconciliation
Mismatch between input and output tax codes facilitates unnoticed fraud.
Backdoor Access and Data Manipulation
Cybercriminals can operate without leaving traces, which jeopardizes the integrity of the entire IT system.
Tax Fraud and Legal Actions
The FTO order also focuses on tackling tax fraud via robust legal measures:
| Action Point | Responsible Authority | Timeline |
|---|---|---|
| Legal proceedings for tax fraud beneficiaries | CCIRs & CTOs of RTOs (Lahore, Karachi, Peshawar, Multan, Islamabad, Quetta, Sialkot) | Immediate |
| Identify and report downstream fraud beneficiaries | FBR Board | Ongoing |
| Apprehend masterminds Shiraz Ahmed & Mr. Niaz Ahmed | DG I & I-IR | 60 days |
| Prevent repeated ID password hacks | CCIR LTO Karachi & DG IT | Immediate |
This table shows how FBR intends to curb systemic fraud while enforcing compliance with Sales Tax General Order No.12 of 2023.
Steps for Strengthening FBR IT Security
Cybersecurity experts recommend a multi-layered approach for FBR:
Implement Advanced Authentication
- Multi-factor authentication for all accounts
- Regular password rotation and audit logs
Monitor and Detect Suspicious Activities
- AI-powered intrusion detection systems
- Real-time alerts for unusual transactions
Regular Security Audits
- Periodic vulnerability assessments
- Penetration testing to identify loopholes
Insider Threat Management
- Limit access to sensitive data
- Continuous monitoring of privileged users
Data Integrity and Backup
- Regular encrypted backups
- Immutable logs for audit trails
Implications for Taxpayers and Businesses
The IT system vulnerabilities have direct consequences for taxpayers:
- Risk of identity theft and unauthorized access to accounts
- Potential delays in filing and receiving refunds
- Loss of trust in FBR digital infrastructure
- Increased compliance burdens due to stricter verification
Businesses must be vigilant and report suspicious activity promptly to FBR helplines to avoid losses.
FAQs
1. What did the FTO warn FBR about in 2025?
The FTO warned that FBR’s entire IT system is vulnerable to cybercriminals, with repeated hacking incidents and potential insider collusion.
2. Which FBR departments are involved in resolving these issues?
Key RTOs and CTOs in Lahore, Karachi, Islamabad, Multan, Peshawar, Quetta, and Sialkot are directed to take immediate legal and technical action.
3. How can taxpayers protect themselves?
Taxpayers should regularly monitor their accounts, change passwords, enable multi-factor authentication, and report unusual activity.
4. What legal measures are being taken?
FBR is conducting investigations, taking legal action against beneficiaries of tax fraud, and ensuring compliance with Sales Tax General Order No.12 of 2023.
Conclusion
The FTO’s warning is a wake-up call for FBR and Pakistani businesses to prioritize cybersecurity and data integrity. Immediate reforms in IT systems, strict monitoring, and legal enforcement are crucial to prevent further damage.
