The Breach Brief  ·  Story Week UAE-002

What happens when
one spreadsheet goes to the wrong inbox?

Hessa is an L&D Coordinator at a professional services firm in Dubai.
On a Tuesday morning in February, she enrolled 89 employees in a compliance training.
Thirty-eight days later, one of them received a phone call no one could explain.

Dubai, UAE 22 – 26 Jun 2026 UAE PDPL 5-day story

This week’s story

Day 1  ·  Monday 22 Jun
The Enrollment

Hessa enrolled 89 employees in a mandatory compliance training. She typed "Vertex" into the To field, selected the autocomplete, attached the spreadsheet, and hit send at 10:22 AM.

The vendor's contract had expired five months earlier. Their domain had been acquired by a competitor. Hessa's contacts had never been updated.

The file landed in the wrong inbox within seconds. Nobody inside her building knew.

Day 2  ·  Tuesday 23 Jun
What Was in That File

The reply arrived at 11:41 AM. Polite, efficient, nothing unusual. She filed the thread. The file had been downloaded at 11:43 AM — 89 employee records, Emirates IDs, salaries to the exact dirham, personal mobiles, notice periods.

The vendor who replied was not the vendor she had emailed. Their domain had changed hands. Nobody inside Khalij Advisory Group knew.

Day 3  ·  Wednesday 24 Jun
The Silence

Thirty-eight days. No alert. No complaint. No flag. Inside, the training launched and completion rates tracked. Outside, someone opened the spreadsheet again on day 24 — not to audit it. To use it.

89 profiles mapped. Salaries cross-referenced. Notice periods noted. The alarm that should have been raised — nobody had raised it. Nobody knew it was theirs to raise.

Day 4  ·  Thursday 25 Jun
The Call

Fatima, six weeks into her role, received a call from an unknown number. The caller knew her role, her notice period, and her personal mobile. Then he quoted her salary to the exact dirham.

She walked to HR. The thread connected in 51 minutes. the UAE Data Office was notified at 5:48 PM. The investigators found no vendor contract, no data-sharing authorisation process, no breach notification protocol, and no DPO. The breach had occurred 38 days earlier.

Day 5  ·  Friday 26 Jun
The Verdict
Live now

The timeline was reconstructed in full. Email sent at 10:22 AM on 11 February. Reply received at 11:41 AM. File downloaded at 11:43 AM. Breach awareness established at 12:08 PM on 21 March — the moment Fatima's complaint reached the HR Director. Notification submitted to the UAE Data Office at 5:48 PM the same day.

Thirty-eight days and one hour between the breach and the moment anyone inside knew to start the clock.

This is what the investigation found. Not as background. As verdict.

No one owned the alarm.
When a breach happens, someone has to raise it — fast. There was no breach protocol, no named point of contact, and no register. The breach began on 11 February. Nobody inside knew until 21 March. For over a month, the thing that should have triggered a response had no one assigned to trigger it.
No one owned the data.
There was no one whose job it was to ask the simple questions — who are we sharing this with, and is that agreement still valid? No named person responsible for how personal data left the building. So the question never got asked, and the file went out on an autocompleted address no one had checked in months.
Nothing guarded the door.
The HR drive had no access controls. There was no log of what was shared externally. There was no vendor-expiry check. The safeguards that should sit around sensitive data simply were not built — so one autocompleted address was all it took. None of the measures the law requires had been built.

In the UAE, data protection rules now apply, and the consequences for a breach are no longer hypothetical.

The investigators’ conclusion was the same one that appeared in every similar case: the person who hit send was not the problem. The absence of any system around that moment was.

Hessa followed the process exactly as it existed. She selected the contact. She attached the file. She hit send. She did what L&D coordinators across the UAE do every single Tuesday morning.

That was the problem.

3 things your organisation must do before next Tuesday:

1. Appoint a named DPO — today. One person. Named. Responsible for breach notification before the call comes.

2. Document your notification protocol — now. One page. On the intranet. Who is contacted, in what order, within what timeframe. Your obligation begins at discovery — not when legal gets involved.

3. Train the people who touch the data. Hessa didn’t need a policy handout. She needed training built around what she actually does — handling enrollment files, managing HR data — and what UAE law requires of her in those specific moments. Role-specific. Repeatable. The kind that makes the right action feel automatic before the mistake happens.

Hessa still works there. She knows what to do now. Does your team?

If your organisation needs to close this gap — the training exists, built for exactly this.
training.cybernym.io/login/?tab=demo

Cybernym.io — Cyber Instincts. Built, Not Taught.

Get each instalment
in your inbox

New chapter every day, Mon–Fri. Three minutes to read.
Built for HR, L&D, and compliance teams across the UAE and KSA.

No spam. Unsubscribe any time. Your data is handled under UAE PDPL.

You're in — Day 2 arrives tomorrow

Watch your inbox.
Hessa's story continues tomorrow — and it gets worse before it gets better.