Dubai PCFC 1.94TB of Port Worker Data Exfiltrated and Sold for $50K

• .What: Threat actor "Kazu" exfiltrated 1.94TB (13M files) from Dubai PCFC.
• .Who: Port workers at Dubai's Jebel Ali Port and free zone facilities.
• .Data Exposed: Passport scans, Emirates IDs, access records, and gate entry logs.
• .Outcome: Data sold for $50K; no public government acknowledgment issued.

On September 10, 2025, a threat actor operating under the alias "Kazu" listed 1.94 terabytes of data - over 13 million files - on a dark web forum, claiming the data was exfiltrated from the Security Department of Dubai's Ports, Customs and Free Zone Corporation (PCFC).

PCFC oversees the Jebel Ali Port complex, the largest port in the Middle East and the ninth busiest in the world by container throughput. The listing included sample files and directory structures as proof of access, and the full dataset was priced at $50,000.

The alleged contents represent a comprehensive identity and access archive for port workers: scanned passport copies, Emirates ID card images, facial photographs, driving licenses, visa documentation, and detailed gate entry and exit logs.

This combination of biometric-grade identity documents with physical access records creates an intelligence product - it maps who works at a strategic port facility, what they look like, what identification they carry, and exactly when they enter and leave secured areas.

For a facility that handles 23 million TEU containers annually and serves as a logistics hub for military and commercial supply chains, this data carries national security implications.

No public statement was issued by PCFC or any UAE government authority acknowledging the listing. The threat actor "Kazu" maintained the listing as active on the forum, suggesting that the data either sold or remained available for purchase.

The absence of any government response left affected port workers - many of whom are expatriate workers with limited recourse - without notification, credit monitoring, or guidance on protecting their exposed identity documents.

The exfiltration of 1.94 terabytes from the security department of a strategic national port facility is not a conventional data breach. It is a counterintelligence failure.

The exposed dataset combines government-issued identity documents with physical access logs for one of the world's busiest port complexes - creating a targeting package that maps personnel, their biometrics, their nationalities, and their movement patterns through a facility that processes military logistics, petroleum exports, and commercial cargo.

The value of this data extends far beyond financial fraud. State intelligence services and organized crime networks pay premiums for exactly this combination of identity and access data.

The first control that should have been in place is encryption at rest for all document stores containing identity scans and access records. Scanned passports, Emirates IDs, and facial photographs should never exist in cleartext on any network-accessible storage system.

If the exfiltrated files were encrypted with keys managed through a hardware security module, the 1.94 terabytes would be unreadable to the threat actor regardless of how the data was obtained.

The $50,000 asking price suggests the data was usable as-is - meaning either no encryption was applied or the encryption was trivially bypassable.

The second control is strict access control and monitoring on document management systems containing identity records.

A security department handling identity verification for a national port facility would maintain a document management system or file server containing millions of scanned documents.

Access to that system should be restricted to named individuals with a documented operational need, logged at the query level, and monitored for anomalous access patterns.

An exfiltration of 13 million files represents either bulk download activity over an extended period or exploitation of an administrative account with unrestricted access - both scenarios that behavioral monitoring would detect.

The third control is network-level data loss prevention configured to detect and block bulk data transfers from internal systems to external destinations. Moving 1.94 terabytes out of a secured government network is not instantaneous.

At typical enterprise egress speeds, this transfer would take hours to days.

Egress monitoring policies that alert on sustained outbound transfers exceeding defined thresholds - particularly from systems containing classified or sensitive identity data - would have flagged the exfiltration in progress and enabled containment before the full dataset was removed.

The fourth control is an incident response and public notification framework. The UAE PDPL requires data controllers to notify both the regulatory authority and affected individuals when a personal data breach poses a risk to their rights and freedoms.

Passport scans, Emirates ID images, and facial photographs of port workers unquestionably meet that threshold. Affected workers cannot change their passport numbers or their faces.

The absence of any notification deprives them of the ability to take protective action - such as monitoring for identity fraud, requesting expedited document replacement, or alerting immigration authorities to potential misuse of their credentials.

Dark Web Forum Listing, PCFC Official Domain, UAE PDPL