Society of Engineers UAE 417K Files Including Emirates IDs and Passports Leaked

• .What: 239GB containing 417,000 files exfiltrated from UAE engineering body.
• .Who: Registered engineers across the UAE, including critical infrastructure workers.
• .Data Exposed: Emirates ID scans, passport pages, education certificates, and visa documents.
• .Outcome: No public acknowledgment; faces UAE PDPL fines up to AED 5M.

In September 2025, a threat actor posted on a hacker forum claiming to have exfiltrated 239 GB of data from the Society of Engineers UAE - the mandatory professional licensing body that every practicing engineer in the country must register with to obtain a work permit.

The listing detailed 417,057 files, and the composition was overwhelmingly identity documents: scanned Emirates ID cards, full passport pages, education certificates, visa documents, and professional qualification records.

The threat actor provided sample files as proof of access.

The Society of Engineers UAE functions as a gatekeeper for the engineering profession in the Emirates. Registration requires submitting original identity documents, educational transcripts, and proof of professional qualifications.

The organization maintains a centralized archive of these submissions for every licensed engineer in the country - from civil engineers working on NEOM-adjacent projects to electrical engineers maintaining critical infrastructure.

The exfiltrated data therefore represents a near-complete identity package for each affected individual: government-issued ID, international travel document, educational history, immigration status, and professional credentials.

No public acknowledgment was issued by the Society of Engineers UAE. No breach notification was sent to affected engineers.

The organization's silence left tens of thousands of professionals - many of them expatriate workers whose residency status depends on their engineering license - unaware that their most sensitive identity documents were circulating on a hacker forum.

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021), the organization faces potential fines of up to AED 5 million for failure to implement adequate security measures and failure to notify affected data subjects.

A professional licensing body that requires original identity documents as a condition of registration assumes custodial responsibility for that data.

The Society of Engineers UAE collected Emirates IDs, passport scans, education certificates, and visa documents from every engineer in the country - not because those engineers chose to share that data, but because the law required them to.

That mandatory relationship creates an elevated duty of care. When 417,057 files containing those documents appear on a hacker forum, every engineer in the UAE has reason to ask whether the organization that compelled their data submission was capable of protecting it.

The first control that should have been in place is encryption of document stores at rest. A 239 GB archive of scanned identity documents should never exist in cleartext on any system accessible from a network.

Emirates ID cards contain the holder's unique identity number, photograph, and biometric data. Passport scans contain the machine-readable zone that encodes nationality, date of birth, and document number. These are permanent identifiers that cannot be changed if compromised.

If the document archive was encrypted with properly managed keys, the exfiltrated files would be unreadable.

The fact that the threat actor was able to offer usable identity scans as proof of access indicates that either no encryption was applied or the encryption key was stored alongside the data - a configuration error that negates the control entirely.

The second control is access restriction and monitoring on the document management system.

An archive of 417,057 identity documents should be accessible only to named staff with a specific operational need - registration processors during onboarding, compliance staff during audit, and no one else. Query-level logging should record every access event.

Behavioral monitoring should flag bulk downloads, access from unusual locations or times, and any single session retrieving more than a defined threshold of documents.

An exfiltration of 239 GB represents systematic access to the entire archive - activity that should have been detected within minutes if monitoring was in place.

The third control is web application security for any portal or system through which these documents were uploaded or accessed. Professional licensing bodies typically operate member portals where engineers upload their identity documents during the registration process.

These portals are internet-facing and represent the most likely initial access vector.

Web application firewalls, regular penetration testing, input validation, and secure session management are baseline requirements for any system that ingests government-issued identity documents.

The absence of any disclosed technical root cause suggests that the initial access vector was either trivially exploitable or has not been investigated.

The fourth control is a breach notification process that meets the requirements of the UAE PDPL. The law requires data controllers to notify affected individuals when a breach poses a risk to their rights and freedoms.

Passport scans and Emirates ID images of every licensed engineer in the UAE unquestionably meet that threshold.

Every affected engineer should have been notified immediately so they could request expedited document replacement, activate identity monitoring, and alert immigration authorities to potential misuse of their credentials.

The organization's silence is not just a regulatory failure - it is a direct harm to the individuals whose data it was obligated to protect.

Dark Web Forum Listing, UAE PDPL (Federal Decree-Law No. 45/2021)