98 Cyber Attacks in 90 Days: Pakistan’s Cybersecurity Crisis Is Getting Worse Every Year

Pakistan suffered 98 documented cyber attacks in the first three months of 2026 alone. That figure, presented before the Senate Standing Committee on Information Technology, is not just a quarterly statistic; it is the latest data point in a trajectory that has been moving in one direction for years.

In 2024, Pakistan recorded 410 cybersecurity incidents across the full year. In 2025, that number rose to 517. The pattern is unambiguous. Cyber threats against Pakistani institutions are increasing in frequency, broadening in scope, and targeting sectors that the country can least afford to have compromised.

Who Is Being Targeted

The breakdown of the 98 incidents reported in the first quarter of 2026 reveals both the scale and the spread of the threat.

Provincial governments bore the heaviest burden, with 32 attacks recorded in just three months. Federal government institutions reported 21 incidents. Business enterprises accounted for 16 cases, while educational institutions, universities, schools, and academic bodies faced 13 cybersecurity incidents during the same period.

The telecom sector recorded 4 attacks. The health, power, and media sectors each reported 3 incidents. Defence and aviation, two of the most sensitive areas of national infrastructure, each recorded one incident.

How the Attacks Are Being Carried Out

The nature of the attacks reported is as telling as their frequency. Website hacking dominated the incident list, accounting for 42 of the 98 cases, the single largest category by a considerable margin. Data leaks and Distributed Denial of Service attacks each contributed 17 incidents. Fake websites, a tool used for phishing, fraud, and credential theft, accounted for 9 cases, while phishing campaigns were recorded in 4 separate incidents.

Notably, only two of the 98 attacks resulted in complete website shutdowns. The majority of incidents involved infiltration, data exposure, or service disruption without taking systems entirely offline, a pattern consistent with attackers prioritising data extraction and intelligence gathering over visible disruption.

A Three-Year Trend That Demands Attention

The quarterly figures gain their full significance when placed alongside the annual data presented to the committee.

In 2024, federal government institutions faced 47 cyberattacks, and provincial governments faced 69, a combined 116 attacks on government bodies across the year. In 2025, those numbers rose sharply: 111 attacks against federal institutions and 137 against provincial governments, a combined 248, representing more than a doubling of government-directed attacks in a single year.

The overall trajectory tells the same story. From 410 incidents in 2024 to 517 in 2025, Pakistan’s cybersecurity incident count grew by more than 25 percent in one year. If the pace of the first quarter of 2026 holds, the annual total could approach or exceed 400 incidents before mid-year, putting 2026 on course to surpass 2025.

The Sectors Most at Risk

The distribution of attacks across sectors points to several areas of particular concern.

Provincial governments, which handle critical citizen data, land records, health databases, tax information, and civil registration, have consistently been the most targeted tier of government. Their cybersecurity infrastructure is generally less robust than federal systems, making them both more attractive targets and more vulnerable to sustained attack.

Educational institutions emerging as a significant target category is a relatively recent development. Universities and research bodies hold valuable intellectual property, student data, and in some cases research with defence or commercial applications. Thirteen incidents in a single quarter suggest this sector is being actively probed.

The incidents in the defence and aviation sectors, while each recorded as a single case, warrant disproportionate attention. A single successful breach in either domain can carry consequences far beyond what the incident count suggests.

Pakistan’s Cybersecurity Capacity: The Underlying Question

The data presented to the Senate committee raises a question that the numbers alone cannot answer: how many of Pakistan’s cyber incidents go undetected or unreported?

The figures presented represent documented, reported cases. Cybersecurity researchers consistently note that reported incidents represent a fraction of actual attacks, particularly in countries where institutional reporting mechanisms are underdeveloped or where organisations prefer to handle breaches quietly to avoid reputational damage.

If Pakistan’s reporting rate is consistent with regional averages, the actual number of cyber incidents in 2025 and the first quarter of 2026 could be significantly higher than the official figures suggest. That possibility makes the upward trend in reported incidents even more concerning; it may reflect not just an increase in attacks but an improvement in detection and reporting, with the true scale of the threat still only partially visible.

What the Numbers Mean for Ordinary Pakistanis

Cyber attacks on government institutions are not abstract events. Provincial government systems hold citizens’ identity data, property records, and health information. A breach of these databases can expose millions of people to identity theft, financial fraud, and targeted scams. The 9 fake website cases and 4 phishing campaigns reported in the first quarter are direct vectors for exactly this kind of harm.

Business sector attacks affect employment, financial stability, and consumer data. Educational institution breaches compromise student records and institutional research. Telecom sector incidents have the potential to affect communications infrastructure that hundreds of millions of Pakistanis depend on daily.

The human cost of cybersecurity failures is rarely calculated in the same breath as the incident statistics. It should be.

The Senate Committee’s Role Going Forward

The presentation of this data to the Senate Standing Committee on IT is a necessary step, but it is the beginning of accountability, not the end. The committee now has documented evidence of a consistent, worsening trend across multiple sectors. The logical next steps are clear: demand a comprehensive national cybersecurity strategy with measurable targets, review the capacity and resourcing of Pakistan’s cybersecurity response bodies, and establish mandatory incident reporting standards across all sectors, particularly education and provincial government, where the gap between actual and reported incidents is likely widest.

The numbers presented this week tell a story of a threat that is growing faster than the institutional response. Closing that gap requires more than quarterly briefings. It requires a sustained, resourced, and accountable national commitment to cybersecurity, one that matches the scale of the problem the data has now put on the record.