FTO Exposes Cybersecurity Breach in FBR Leading to Rs 14.66 Billion Tax Fraud

FTO Exposes Cybersecurity Breach in FBR Leading to Rs 14.66 Billion Tax Fraud

Karachi, October 7, 2024 – In a shocking revelation, the Federal Tax Ombudsman (FTO) has identified a monumental tax fraud worth Rs 14.66 billion attributed to a cybercrime breach within the Federal Board of Revenue (FBR). The crime, which infiltrated FBR’s system, resulted in unauthorized access and the misuse of taxpayer data, leading to colossal losses for the national exchequer. This fraud case marks one of the most significant cyberattacks targeting Pakistan’s tax infrastructure.

The FTO’s findings, based on a detailed investigation, point to serious lapses in securing the complainant’s user ID, password, and sensitive taxpayer data. These vulnerabilities facilitated the cybercriminals to commit tax fraud on behalf of the complainant, raising questions about the overall integrity of the FBR’s system. The FTO labeled this breach as a case of maladministration, highlighting the glaring gaps in FBR’s ability to protect its system from such sophisticated attacks.

The Case in Detail

The case revolves around an individual, a retired Armed Forces personnel, who registered for sales tax under the business name ‘Gravity Traders’ in 2010. The complaint filed against the Commissioner RTO-II, Karachi, accuses the tax authority of fraudulently attributing Rs 81.43 billion in transactions to the complainant for the tax periods between September 2023 and January 2024. These transactions led to a corresponding sales tax liability of Rs 14.66 billion.

The complainant was blocking by the tax authority on March 27, 2024, for allegedly declaring fake supplies, despite having filed ‘null’ sales tax returns for the same period. The FTO’s investigation revealed that the complainant was neither served a proper show cause notice nor given an opportunity to defend himself before his Sales Tax Registration (STRN) was blocked.

Upon reviewing the complaint, the FTO referred the matter to the Revenue Division Secretary for comments, as outlined in Section 10(4) of the FTO Ordinance and Section 9(1) of the Federal Ombudsmen Institutional Reforms Act, 2013. The tax authority’s defense, submitted through an Excel sheet, revealed large-scale fake supplies declared in the complainant’s name. These fake supplies were used by various buyers to claim huge input tax during the relevant periods.

A Coordinated Cybercrime Operation

The FTO’s investigation uncovered that a sophisticated gang of cybercriminals had exploited dormant taxpayer accounts to execute fake transactions. These criminals, likely working in collusion with current and former employees of the FBR and PRAL (Pakistan Revenue Automation Limited), gained unauthorized access to the system, forging sales records to benefit certain manufacturers and end consumers.

The modus operandi of the gang involved extracting inactive taxpayer accounts from the FBR website and misusing their credentials to fabricate fake transactions. This cybercrime not only robbed the national treasury but also tarnished the credibility of Pakistan’s tax administration system.

A comprehensive review of forward and backward transactions from multiple tax offices, including RTO-I and RTO-II Karachi, LTO Lahore, and RTO Faisalabad, revealed the involvement of several entities in this fraud. Bank account scrutiny and in-depth investigations into buyer-supplier relations further corroborated the fraudulent activities.

Flaws in FBR’s Cybersecurity System

The FTO’s report criticized the FBR for its failure to safeguard the integrity of taxpayer data. It was discovered that cybercriminals had changed the complainant’s contact information, including phone numbers and email addresses, on the FBR’s web portal. These changes were made to block the complainant from accessing the system and prevent any revisions to the tax returns. Such security lapses enabled the perpetrators to exploit the system unchecked.

The FTO also flagged the PRAL system, which failed to capture essential sales tax documents, such as Annexure C, for several tax periods. The absence of these documents further hindered the investigation and highlighted significant flaws in FBR’s data management and audit processes.

A Call for Accountability and Reform

The FTO’s report calls for a thorough investigation to identify the insiders involved in facilitating the cybercrime. The report urges the FBR to launch legal proceedings against those responsible, including companies and individuals who knowingly participated in the fraudulent scheme. The key beneficiaries of this fraud are accused of evading taxes by using fake invoices and manipulating sales records.

The FTO also recommended that the Chief Commissioners of various tax zones initiate proceedings against the culprits, ensuring that those involved in the tax fraud are brought to justice. Additionally, the report stresses the need for reform in FBR’s IT infrastructure to prevent such breaches in the future. Enhanced cybersecurity measures, stricter enforcement, and real-time monitoring of transactions are essential to safeguard the system from future cyberattacks.

The Road Ahead

This case exposes serious vulnerabilities in Pakistan’s tax administration, highlighting the growing threat of cybercrime in the financial sector. The incident underscores the urgent need for the FBR to strengthen its security protocols, ensure transparency, and enforce stricter controls on access to taxpayer data.

As the investigation continues, the FBR is expected to take decisive action against those involved in the tax fraud while also addressing the systemic issues that allowed this breach to occur. The success of these measures will determine the future resilience of Pakistan’s tax administration system in the face of increasingly sophisticated cyber threats.

With Rs 14.66 billion at stake, this case serves as a wake-up call for the country’s tax and financial authorities to prioritize data security and safeguard the nation’s revenue from the growing menace of cybercrime.