Emirates NBD 700K Credit Card Holder Records Sold for $430 on Dark Web

• .What: 700K credit card holder records sold on dark web for just $430.
• .Who: Emirates NBD credit card customers across the Middle East.
• .Data Exposed: Card numbers, names, phone numbers, and email addresses.
• .Outcome: Third breach in 18 months; no public acknowledgment from the bank.

In July 2025, a threat actor posted a listing on a Chinese-language hacking forum offering 700,000 credit card holder records allegedly from Emirates NBD - the largest banking group in the Middle East by total assets, with over AED 900 billion on its balance sheet.

The dataset was priced at $430, a figure so low it values each cardholder's financial identity at less than one-tenth of a cent. The listing included sample records demonstrating card numbers, full cardholder names, phone numbers, and email addresses.

This was not an isolated incident. It was the third known breach targeting Emirates NBD in just 18 months. In February 2024, a separate threat actor leaked a 38 GB database containing customer records.

In September 2025, brokerage client data from Emirates NBD Securities appeared for sale on a different forum.

The pattern of repeated exposures - across different systems, different data types, and different threat actors - points to systemic security deficiencies rather than a single exploitable vulnerability.

Each successive breach expanded the total volume of Emirates NBD customer data circulating on dark web marketplaces.

Emirates NBD issued no public acknowledgment of the July 2025 listing. No breach notifications were sent to affected cardholders. No regulatory filing was disclosed.

The bank's silence persisted despite the listing being publicly accessible to any threat intelligence analyst monitoring Chinese-language cybercrime forums - and despite the UAE's Personal Data Protection Law imposing obligations on data controllers to notify both the regulator and affected individuals.

Three breaches in eighteen months from the Middle East's largest bank is not a pattern of bad luck. It is a pattern of institutional failure to secure customer financial data at scale.

Each incident exposed a different dataset - the February 2024 leak contained general customer records, the September 2025 listing involved brokerage client data, and the July 2025 sale targeted credit card holder information.

The diversity of exposed data types across separate incidents indicates that the bank's security failures are not isolated to a single system or business unit. They are architectural.

The first control that would have reduced the impact of this breach is tokenization of credit card data at rest and in transit.

Payment card industry standards - PCI DSS Requirement 3 - mandate that stored cardholder data be rendered unreadable using cryptography, truncation, masking, or tokenization.

If the 700,000 records were exfiltrated with full card numbers intact, the data was either stored in cleartext or the encryption implementation was compromised alongside the data.

Tokenization replaces sensitive card data with non-reversible tokens that are useless outside the issuing bank's processing environment. Even if an attacker exfiltrates a tokenized database, the result is worthless to a buyer on a dark web forum.

The second control is continuous dark web monitoring and automated credential rotation. Emirates NBD appeared on dark web forums three times in eighteen months.

Each listing was discoverable by commercial threat intelligence platforms - the same platforms that security teams use to detect exposed corporate credentials, customer data, and stolen intellectual property.

A bank of this size should operate a dedicated threat intelligence function monitoring dark web marketplaces, paste sites, Telegram channels, and Chinese-language forums in real time.

The February 2024 leak should have triggered an enterprise-wide security review that identified and remediated the vulnerabilities exploited in the subsequent two breaches. It did not.

The third control is network segmentation and access control that prevents a single point of compromise from reaching credit card databases, brokerage systems, and general customer records simultaneously.

The fact that three separate incidents exposed three distinct data categories suggests either shared infrastructure with insufficient logical separation or multiple independent access failures - both of which indicate that the bank's internal security architecture does not adequately protect its most sensitive data stores from lateral movement or unauthorized query access.

The fourth control is regulatory compliance with the UAE Personal Data Protection Law.

Federal Decree-Law No. 45/2021 requires data controllers to implement appropriate technical and organizational measures and to notify the UAE Data Office and affected individuals in the event of a personal data breach.

Emirates NBD's silence across all three incidents - no public statement, no breach notification, no regulatory disclosure - creates compounding legal exposure. Fines under the UAE PDPL reach AED 10 million per violation.

Three unreported breaches affecting hundreds of thousands of UAE residents represent a regulatory posture that the UAE Data Office cannot ignore indefinitely.

Chinese-Language Forum Listing, Emirates NBD Prior Breach Records, UAE PDPL