In 2020, an expat was arrested in Dubai who allegedly used another person's Emirates ID to obtain cheques as part of a fraudulent scheme amounting to 350,000 dirhams, involving accomplices and numerous transactions. This case highlighted how identification documents can be misused if people do not adhere to access and verification protocols.
Sources of Data Leakage Risk
The risk of fraud does not always begin with organized criminal schemes. More often, it arises in routine situations where residents are asked to provide or send copies of their Emirates ID at shops, delivery points, or service centers. However, such seemingly standard requests can lead to the leakage of confidential personal data if they are copied, stored, or distributed without proper protection.
Emirates ID cards contain extensive biometric and personal information, including residency number, passport details, fingerprints, and iris scans. If handled improperly, stored insecurely, or distributed uncontrollably, they can be used for impersonation, fraud, or account takeover.
Recommendations from UAE Authorities
Experts speaking with Khaleej Times noted that the problem lies not in the existence of the card itself, but in the uncontrolled duplication of its data in daily operations, which often occur outside regulated systems. UAE authorities advised residents to avoid sharing sensitive information and to be able to distinguish legitimate verification requirements from unnecessary data collection requests. Not every organization has the legal right to keep a copy of an Emirates ID.
ICP Rules and UAE Legislation
The Federal Authority for Identity, Citizenship, Customs & Port Security (ICP) warned that Emirates ID cards cannot be used for commercial incentives, such as discounts or bonuses, nor provided as collateral for services. The authority also stressed that private companies cannot store identification documents unless permitted by law, and prohibits their retention without judicial or official authorization.
According to Federal Decree-Law No. 45 of 2021 on Personal Data Protection, any entity that collects, stores, copies, or uses Emirates ID data is processing personal data. Such processing must be lawful, fair, transparent, and limited to a specific purpose, with robust measures to protect against unauthorized access, misuse, or disclosure.
When is an Emirates ID Request Legal?
A legal expert believes the issue is not whether Emirates ID requests are valid in principle, but whether they are proportionate and properly controlled. Nikhat Sardar Khan, a litigation lawyer at DIFC, stated: 'The question is not that Emirates IDs can never be requested.' She clarified that some organizations may have a legal basis for such a request—for example, for KYC, banking compliance, telecom registration, or client onboarding. Nevertheless, the request must be proportionate. Copying or storing Emirates ID data without a legal purpose is unjustified, and the organization must ensure it will not be misused.
She added that individuals have legal recourse in case of misuse. Data subjects can file complaints against organizations violating the law in processing their data, and can also demand correction, deletion, restriction, or access to their information. In more serious cases involving violations, organizations also have obligations regarding notification and reporting.
Dubai Fraud Example
Nikhat also cited a case from a Dubai court to demonstrate how the improper use of identification can lead to major fraud. A Dubai court was hearing a dispute related to an employee who allegedly used his employer's Emirates ID to open a corporate account and present himself as an authorized signatory. Before the employer left, the employee allegedly obtained a cheque for a small amount and then changed its denomination in their absence. He also disabled the employer's bank SMS alerts via the telecom channel, reducing transaction visibility. The situation escalated when a new corporate account was opened, and the employee became an authorized signatory, presumably because service providers did not verify everything properly. The cheque amount increased from approximately 96 dirhams to 1,000,000 dirhams, allowing about 350,000 dirhams to be withdrawn. Some funds were recovered. Nikhat noted: 'The case was only partially successful because the Court found that the employer was also negligent for leaving the Emirates ID accessible in the office.'
How Cybercriminals Use Data
Cybersecurity expert Rayad Kamal Ayub from Rayad Group stated that Emirates ID-related fraud usually follows recognizable patterns rather than being isolated incidents. He listed common fraud scenarios: SIM-swap fraud, fake KYC applications, social engineering related to UAE PASS, and identity 'stitching'. SIM-swap fraud involves using personal data to take over telecom accounts and intercept bank OTPs. Fake KYC applications create mule accounts or fraudulent financial profiles. Identity 'stitching' combines fragments of data leaks, such as contact information, to create complete identity profiles for fraudulent purposes.
Rayad also pointed to the persistent operational weakness associated with informal document exchange. He noted: 'One of the most persistent weak points remains the informal exchange of documents. Residents are often asked to send copies of their Emirates ID via WhatsApp, email, or other unsecured channels for services like delivery verification, access control, or administrative processing. After the exchange, people often lose control over where the data is stored, who has access to it, and for how long it is retained.'
Emirates ID System Security
The Emirates ID system is designed to ensure secure identification. The card chip contains encrypted data accessible only to authorized systems. Furthermore, the card has several physical security features, and the main database stores identification records for official checks. Rayad explained: 'Most risks do not come from the system itself. Something as simple as scanning, photographing, emailing, or forwarding a copy of the Emirates ID is considered 'processing' of personal data under the Personal Data Protection Law. This entails legal obligations for organizations to apply principles of data minimization, purpose limitation, and secure storage.'
Protecting Emirates ID Data
Regulators and cybersecurity experts agree on a simple set of steps that both individuals and organizations should follow. Key recommendations include: sharing Emirates ID data only when strictly necessary and for a defined purpose; preferring verification through UAE PASS whenever possible instead of exchanging documents; adding watermarks, dates, and purpose stamps to any provided copies; avoiding sending Emirates ID images via WhatsApp or unsecured channels; never providing Emirates ID copies along with bank credentials or OTPs; verifying the legitimacy of requests, especially in informal or spontaneous situations; and securely storing any collected copies using encryption and access control.