DU Emirates 371K Customers Exposed in Telecom Breach

• .What: 371,000 DU customer records exfiltrated with a ransom deadline imposed.
• .Who: Subscribers of DU, the UAE's second-largest telecom operator.
• .Data Exposed: Emirates IDs, phone numbers, billing data, and usage records.
• .Outcome: Faces UAE PDPL fines up to AED 10M plus TDRA enforcement.

In November 2025, threat actors posted a listing on a dark web forum claiming possession of 371,000 customer records exfiltrated from DU (Emirates Integrated Telecommunications Company), the UAE's second-largest telecommunications provider with millions of subscribers across mobile, fixed-line, broadband, and enterprise services.

The listing included sample data to demonstrate authenticity and imposed a ransom deadline, threatening to release the full dataset publicly if DU did not make payment by the specified date.

The claimed dataset encompassed core subscriber identity and account data: full names, Emirates ID numbers, UAE mobile phone numbers, SIM card identifiers, billing addresses, payment method metadata, call and data usage records, account registration dates, plan types, and subscription tiers.

The breadth of the data - spanning identity documents, financial metadata, and telecommunications usage patterns - indicates access to DU's core subscriber management database or Customer Relationship Management (CRM) system rather than a peripheral application.

The specific attack vector has not been publicly disclosed. DU issued no formal public acknowledgment of the breach.

The Telecommunications and Digital Government Regulatory Authority (TDRA), which oversees telecom operators in the UAE, has not published any enforcement action or advisory related to the incident.

The absence of public disclosure from both the operator and the regulator leaves 371,000 subscribers unaware that their Emirates IDs, billing data, and usage records may be circulating in criminal marketplaces.

Full subscriber names, Emirates ID numbers, UAE mobile phone numbers and SIM card data, billing addresses and payment method metadata, call and data usage records, account registration dates, plan types, and subscription tiers.

A telecom operator holds the most comprehensive personal data profile of any commercial entity: identity documents, phone numbers, billing addresses, payment methods, and a complete record of who each subscriber calls, messages, and communicates with.

The exfiltration of 371,000 subscriber records from DU - including Emirates IDs, SIM data, and usage records - exposes not just identity information but behavioral intelligence.

Call detail records reveal personal relationships, business contacts, travel patterns, and daily routines.

This data in the hands of a threat actor enables targeted social engineering, identity fraud, and surveillance at a scale that extends far beyond conventional financial fraud.

Telecom subscriber databases are high-value targets precisely because they consolidate identity, financial, and behavioral data in a single system.

The Customer Relationship Management (CRM) and subscriber management platforms at the core of any telecom operation must be protected with defense-in-depth controls.

Database access must be restricted through role-based access controls enforced by Privileged Access Management (PAM) platforms - CyberArk, BeyondTrust, or Delinea - ensuring that no single account has unrestricted query access to the full subscriber database.

Administrative access to CRM systems must require multi-factor authentication using phishing-resistant FIDO2 hardware security keys.

The difference between PAM-governed database access and unrestricted administrative credentials is the difference between an attacker who can query one subscriber at a time and an attacker who can export 371,000 records in a single operation.

Emirates ID numbers are government-issued identity credentials that cannot be changed. Their exposure creates a permanent identity fraud risk for every affected subscriber.

Telecom operators storing Emirates IDs must implement field-level encryption - encrypting the Emirates ID column at the database level using AES-256 with keys stored in a Hardware Security Module (HSM).

Field-level encryption ensures that even if the database is fully exfiltrated, the most sensitive identifiers remain encrypted and unreadable without access to the HSM-managed decryption keys.

Oracle Transparent Data Encryption, Microsoft SQL Server Always Encrypted, or application-layer encryption libraries provide this capability. The attacker would have obtained encrypted ciphertext instead of 371,000 readable Emirates ID numbers.

Call and data usage records - who called whom, when, for how long, and from what location - constitute telecommunications metadata that is as sensitive as the content of the communications themselves.

Data Loss Prevention (DLP) controls at the network perimeter must monitor for bulk extraction of subscriber records and call detail records.

Any query that returns more than a defined threshold of subscriber records - 1,000 as a conservative baseline - should trigger automated alerting and require secondary approval.

Network segmentation must isolate the subscriber database and call detail record systems from general corporate infrastructure, internet-facing applications, and third-party integrations.

Database Activity Monitoring (DAM) solutions from Imperva or IBM Guardium provide real-time monitoring of all SQL queries against subscriber databases, detecting and alerting on bulk extraction patterns before the full dataset leaves the network.

The UAE PDPL (Federal Decree-Law No. 45/2021) requires breach notification and imposes fines up to AED 10 million. The TDRA regulates telecom operators specifically.

DU's failure to issue any public acknowledgment means 371,000 subscribers have not been notified and cannot take protective action - freezing financial accounts linked to exposed billing data, monitoring for identity fraud using their Emirates IDs, or changing phone numbers that are now in threat actor hands.

Incident response plans for telecom operators must include pre-drafted subscriber notification templates and a decision matrix that triggers notification within 72 hours of confirmed data exposure. The cost of notification is measured in operational effort.

The cost of not notifying is measured in regulatory fines, subscriber lawsuits, and the reputational destruction that follows when affected customers learn about the breach from dark web monitoring services rather than from their telecom provider.

Dark Web Forum Listing, UAE PDPL (Federal Decree-Law No. 45/2021), TDRA Regulatory Framework