Pakistan FBR data centre breach

On or around 14 August 2021 — Pakistan's Independence Day — attackers compromised the data centre of the Federal Board of Revenue (FBR), the country's apex tax-collection authority. The breach took every FBR website and online service offline for days, freezing tax filings, customs clearances, and a swathe of dependent business activity across the country.

What happened

The intruders broke through the Microsoft Hyper-V virtualisation layer that underpinned the FBR's data centre, gaining access to an environment of roughly 360 virtual machines. A subsequent investigation by private and government cybersecurity experts found two compounding failures:

The FBR was running a pirated, unlicensed copy of Microsoft Hyper-V, which deprived it of security updates and support.
Spear-phishing emails were identified as a likely initial entry vector into the network.

The authority initially tried to characterise the outage as routine "data centre optimisation," but the scale of the disruption — all public-facing services down for days — quickly forced confirmation of a genuine cyberattack.

The dark-web sale

Within days, network access to FBR systems was advertised for sale on a Russian hacking forum. The seller offered access to two or three systems for around $26,000, with instructions to infect all machines, or full access to the compromised environment for $30,000. This indicated the attackers were positioned to either deepen the intrusion or hand it off to other criminal groups.

Response and disputed impact

The FBR insisted that taxpayer data remained safe and that there was "no linkage or access to banking transactions at any level." However, digital-rights advocates criticised the authority for a lack of transparency, noting that Pakistan's own intelligence services had reportedly warned the FBR of potential cyberattacks beforehand — warnings that went unheeded. The use of pirated infrastructure software at a national tax body drew particular scrutiny.

Why it matters

The FBR breach exposed the fragility of Pakistan's government IT estate: a critical national institution running unlicensed, unpatched virtualisation software, undone by a phishing email and a known-but-ignored risk. It became a reference point in debates over state cybersecurity governance, software-licensing compliance, and breach transparency in Pakistan, underscoring how procurement shortcuts at the infrastructure layer can translate directly into national-scale operational outages.

Timeline

August 14, 2021

Around Pakistan's Independence Day, attackers compromise the FBR data centre by breaking the Microsoft Hyper-V virtualisation layer, affecting 360 virtual machines.

August 15, 2021

All FBR websites and online services go offline; the authority initially describes the outage as 'data centre optimisation'.

August 16, 2021

Officials confirm a cyberattack; business activity dependent on FBR systems is halted.

August 20, 2021

Investigators report the FBR was running a pirated version of Microsoft Hyper-V, and that spear-phishing was a likely entry vector.

August 23, 2021

Network access to FBR systems is advertised for sale on a Russian hacking forum for around $30,000.

Sources

latesthackingnews.comhttps://latesthackingnews.com/2021/08/23/pakistans-fbr-suffered-cyber-attack-network-access-sold-on-dark-web/

dawn.comhttps://www.dawn.com/news/1649393

profit.pakistantoday.com.pkhttps://profit.pakistantoday.com.pk/2021/08/15/fbr-data-centre-compromised-all-websites-down/

digitalrightsmonitor.pkhttps://www.digitalrightsmonitor.pk/fbr-data-centre-hacked-no-transparency-from-the-authority/

gulfnews.comhttps://gulfnews.com/opinion/op-eds/what-caused-pakistans-largest-data-centre-attack-1.81758508

Related incidents

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765

Vulnerability exploitResolvedMay 2, 2024

City of Helsinki Education Division breach

An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.

Victim: City of Helsinki (Education Division)
Records: 120.0K

Vulnerability exploitResolvedAugust 8, 2023

UK Electoral Commission data breach

Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.

Victim: UK Electoral Commission
Records: 40.0M

Vulnerability exploitResolvedJuly 24, 2023

Norwegian government Ivanti zero-day breach

Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.

Victim: Norwegian government (12 ministries)