Emirates ID cards contain extensive personal and biometric information, including residence number, passport data, fingerprints, iris scans, and more
In 2020, an expat was arrested in Dubai after allegedly using another man’s Emirates ID to encash cheques in a Dh350,000 fraud scheme involving multiple transactions and accomplices. The case highlighted how identity documents can be exploited when individuals fail to follow access and verification protocols.
The risk does not begin with organised fraud. It often starts in routine moments when residents are asked to hand over or send copies of their Emirates ID at shops, delivery points, or service counters. But these seemingly standard requests can be how sensitive personal data leaks if copied, stored, or shared without proper protection.
Emirates ID cards contain extensive personal and biometric information, including residence number, passport data, fingerprints, iris scans, and more. If copies are mishandled, stored insecurely, or circulated without control, they can be misused for impersonation, fraud, or account takeover.
Speaking to media, experts said the issue is not the possession of the card but unmanaged duplication of its data in everyday transactions, which often occur outside controlled or regulated systems.
UAE authorities have advised residents to avoid sharing sensitive information and to distinguish between legitimate verification requirements and unnecessary data collection requests. Not every entity requesting a copy of an Emirates ID is legally entitled to keep it.
ICP rules and UAE data law on Emirates ID
The Federal Authority for Identity, Citizenship, Customs and Port Security (ICP) warned that Emirates ID cards must not be used for commercial incentives like discounts or rewards, nor held as collateral for services. It also stressed that private entities cannot keep ID cards unless legally authorised, and withholding them without judicial or official authority is prohibited.
Under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, any entity that collects, stores, copies, or uses Emirates ID data processes personal data. Such processing must be lawful, fair, transparent, and limited to a defined purpose, with strong safeguards against unauthorised access, misuse, or disclosure.
The authority urged residents to protect their identity documents and share them only when legally required or when an entity has official authorisation to request them.
When requesting Emirates ID is legal
A legal expert said the issue is not whether Emirates ID requests are valid in principle but whether they are proportionate and properly controlled.
“The issue is not that an Emirates ID can never be requested,” said Nikhat Sardar Khan, litigation and DIFC lawyer. “Certain entities may have a lawful basis for it — for example, KYC, banking compliance, telecom registration, or onboarding. However, the request must be proportionate. Copying or retaining Emirates ID data without a lawful purpose is not justified, and the organisation must ensure it is not misused.”
She added that individuals have legal remedies if misuse occurs. Data subjects can file complaints against organisations processing their data in breach of the law, and can request correction, erasure, restriction, or access to their information. In more serious cases involving breaches, organisations also carry notification and reporting obligations.
Dubai court case shows how Emirates ID misuse led to fraud
Nikhat also highlighted a separate case to show how ID misuse can lead to major fraud. A Dubai court reviewed a dispute involving an employee who allegedly misused his employer’s Emirates ID to open a corporate account and position himself as an authorised signatory.
Before the employer travelled, the employee allegedly obtained a small-value utility cheque and later altered its value while away. He also disabled the employer’s banking SMS alerts through a telecom channel, reducing transaction visibility.
The situation got worse when a new company account was opened and the employee became the authorised signatory, reportedly because service providers did not verify things properly. The cheque amount increased from about Dh96 to Dh1,000,000, which allowed withdrawals of around Dh350,000.
Some of the funds were recovered. “The case was only partially successful because the Court found that the employer had also been negligent by leaving the Emirates ID accessible in the office,” Nikhat said.
How cybercriminals can use ID data
Cybersecurity expert Rayad Kamal Ayub, MD, Rayad Group, said Emirates ID-related fraud typically follows identifiable patterns rather than isolated incidents.
“Common fraud scenarios include SIM-swap fraud, fake KYC onboarding, UAE PASS-related social engineering, and identity stitching,” he said.
SIM-swap fraud involves attackers using personal identity data to take over telecom accounts and intercept banking OTPs. Fake KYC onboarding creates mule accounts or fraudulent financial profiles. Identity stitching combines fragments of leaked data, such as contact details, to build complete identity profiles for fraud.
Rayad also pointed to a persistent operational weakness in informal document sharing.
“One of the most persistent weak points remains informal document sharing. Residents are often asked to send copies of their Emirates IDs via WhatsApp, email, or other unsecured channels for services like delivery verification, access control, or administrative processing. Once shared, individuals often lose control over where the data is stored, who accesses it, and how long it is retained,” he said.
Emirates ID is secure
The Emirates ID system is designed to provide secure identification. The card’s chip holds encrypted data that only authorised systems can access. It also has several physical security features, and the main database keeps identity records for official checks.
“Most risks do not come from the system itself. Something as simple as scanning, photographing, emailing, or forwarding photocopy of Emirates ID is considered ‘processing’ of personal data under the Personal Data Protection Law. This triggers legal obligations on organisations to apply data minimisation, purpose limitation, and secure storage practices,” Rayad explained.
How to protect Emirates ID data in UAE
Regulators and cybersecurity experts agree on a simple set of steps that both individuals and organisations should follow.
Key recommendations include:
-
Share Emirates ID data only when strictly necessary and for a defined purpose
-
Prefer UAE PASS verification instead of document sharing where possible
-
Add watermarks, dates, and purpose labels on any submitted copies
-
Avoid sending Emirates ID images through WhatsApp or unsecured channels
-
Never share Emirates ID copies alongside banking credentials or OTPs
-
Verify legitimacy of requests, especially in informal or ad-hoc situations
-
Store any collected copies securely with encryption and access controls
