Security Concerns Emerge Around New Indian Consular Services Contractor in UAE Amid Alleged Data Exposure

Serious cybersecurity concerns have surfaced around Alhind Tours and Travels, the company selected to assume responsibility for Indian passport, visa, and consular services across the UAE, after evidence revealed the apparent exposure of sensitive client and employee information through unsecured digital systems.

The findings come just weeks before the Embassy of India in Abu Dhabi is scheduled to transfer its consular outsourcing operations to Alhind on July 1, 2026.

Under the new three-year agreement, the company will manage a vast volume of personal and identity-related records belonging to the UAE’s estimated 4.3 million Indian residents.

Documents and digital evidence reviewed by this publication indicate that databases containing customer information, employee records, identification details, and transaction logs may be accessible due to significant security misconfigurations. Cybersecurity experts familiar with the matter say the exposed systems appear to lack adequate safeguards typically expected for organisations handling sensitive personal data.

The reported exposure raises questions about the company’s preparedness to manage large-scale government-related identity services and whether existing infrastructure meets the stringent data protection requirements mandated under UAE law.

Industry observers note that the alleged security gaps bear similarities to previous data protection controversies involving major global outsourcing and document-processing providers, highlighting broader concerns surrounding the handling of sensitive identity information by third-party contractors.

The timing of the discovery is particularly significant as Alhind accelerates preparations for the nationwide rollout of its consular services network. The company has announced plans to establish 16 technology-enabled service centres across all seven emirates, including a major processing hub in Bur Dubai, while recruiting hundreds of personnel to support operations.

Cybersecurity professionals warn that any migration of large-scale government and identity-related records onto inadequately secured infrastructure could create substantial risks for applicants and employees alike, potentially exposing personal information to unauthorised access, fraud, or misuse.

The UAE’s Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) requires organisations to implement appropriate technical and organisational measures to safeguard personal information. Failure to maintain adequate security controls can result in regulatory scrutiny and potential penalties.

The development has also renewed debate over the balance between cost efficiency and operational resilience in public-service outsourcing contracts. While Alhind secured the contract with a reported service fee of Dh19 per transaction, industry experts emphasise that competitive pricing should not come at the expense of cybersecurity standards and data protection compliance.

The transition follows a decision by India’s Ministry of External Affairs to replace the previous service provider after a series of applicant complaints and contractual disputes. However, critics argue that service quality improvements must be matched by robust security controls, particularly when handling highly sensitive identity documents and personal records.

As the July handover date approaches, questions remain over whether the reported vulnerabilities have been addressed, whether regulators have been informed, and what assurances can be provided to millions of Indian expatriates whose personal information may soon be processed through the new system.

Neither Alhind Tours and Travels nor relevant authorities had publicly commented on the reported security concerns at the time of publication.