Security report: Data on 25,000 UAE police put on sale on web forum

Data containing personal information of 25,000 UAE police officers is up for sale on the web, according to security company CloudSek. The report comes at a time of heightened alert for security issues, as online scams and data breaches proliferate throughout the Gulf and broader Middle East region.

CloudSek has reported that it has seen a post, dated 7 July, on a web database marketplace advertising the sale of data for UAE police officers. “The poster is selling ‘UAE Full(25K) police info’ for $500 and has shared 9 samples to support their claims. In response to this post several forum members have shown interest in buying the data,” according to the report.

The sample images contain first and last names of police officers in Dubai and Abu Dhabi, as well as their mobile and work phone numbers, email addresses and in some cases, their addresses. CloudSek says it was able to verify that the data is correct, using information available in public sources.

The seller of the data has also shared the image of an Abu Dhabi police database that contains 31,878 files and 6 folders, CloudSek said.

The data could have an impact in various ways, according to CloudSek. The information, for example,  could be used to harass police officers and to orchestrate phishing campaigns, online and offline scams, and identity theft.

“Usually our mobile numbers and email IDs are linked to banking, mobile wallet, and other online accounts. Having these details makes it easier for threat actors to compromise the officials’ accounts,” according to CloudSek.

UAE officials have not yet responded to requests for comment, and the seller has not revealed the source of the data. It is unclear whether the data was exfiltrated from police databases by hackers, or whether someone with legitimate access to the data put it up for sale.

CloudSek is recommending several actions by the police, including enabling multifactor authentication for online accounts, a review of all online accounts and financial statements for suspicious activity; and cautioning friends and family of the police officers against threat actors impersonating them.

In recent months, as the coronavirus forced a remote work regime for many workers in the UAE, the emirates have witnessed a rising number of cases that involve cybercriminals stealing personal details and money through SIM card swapping, phishing and impersonation.

And more generally, Gulf countries such as Saudi Arabia and the United Arab Emirates are increasingly becoming the targets of sophisticated cyberattacks that are aimed at stealing personal data and, in some cases, exposing state secrets. This comes against the backdrop of growing technology adoption by enterprises and institutions in the region, as well as geopolitical tensions.