A major security vulnerability has been uncovered within the digital infrastructure of Alhind Tours and Travels, the company newly appointed to take over Indian consular and passport services across the UAE.
Evidence obtained by this media house reveals that the company is actively exposing sensitive databases containing private information of its existing clients and internal employees.
The revelation comes at a critical time, as the Embassy of India in Abu Dhabi prepares to transfer its massive passport, visa, and consular outsourcing contract to Alhind on July 1, 2026.
The three-year contract tasks the company with managing highly sensitive identity records for the UAE’s 4.3 million-strong Indian diaspora. However, the discovery of exposed backend logs, consumer information, and internal workforce data has raised urgent compliance questions under the UAE’s federal data privacy framework.
Forensic digital evidence reviewed by investigative reporters shows that unencrypted client files, employee personal records, identification data, and transaction logs are accessible due to critical database misconfigurations. Instead of being secured behind enterprise-grade firewalls, the data is effectively being leaked to the open web, leaving thousands of past and current clients, as well as the company’s own staff, vulnerable to exploitation.
The security failure mirrors recent high-profile data leak scandals that have plagued global document processing giants VFS Global, signaling a wider systemic failure in how private third-party contractors handle sovereign identity data.
With Alhind currently rushing to launch 16 new technology-driven consular centers across all seven emirates including a massive 12,000 sq. ft. flagship hub in Bur Dubai, cybersecurity professionals warn that migrating federal government data onto flawed infrastructure could be catastrophic.
Under Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), the UAE enforces some of the strictest data privacy mandates in the region. The law strictly prohibits companies from exposing personal and corporate workforce data through negligent security practices, carrying severe financial penalties for entities that fail to implement mandatory encryption and access controls.
Industry insiders note that while Alhind won the contract by bidding a low, cost-effective service fee of Dh19 per transaction, cut-rate pricing must not translate to cutting corners on cybersecurity.
The transition to Alhind was initially ordered after India’s Ministry of External Affairs debarred the long-standing operator from new tenders following persistent applicant complaints and legal disputes.
However, these documented leaks indicate that the impending transition may trade customer service delays for severe cybersecurity liabilities. The company is in the process of deploying over 350 newly recruited operational personnel to handle hundreds of daily passport renewals, Overseas Citizen of India (OCI) cards, and Police Clearance Certificates—personnel whose own personal onboarding data is now caught up in the security lapse.