Passports and identity documents belonging to hundreds of attendees at Abu Dhabi Finance Week were left publicly accessible on an unprotected cloud server, exposing personal data of senior figures in global finance and politics.
A Cache Left Open
In early December, as Abu Dhabi Finance Week drew more than 35,000 attendees to the emirate’s flagship investment conference, a separate and largely invisible drama was unfolding online.
Scans of more than 700 passports and state identity cards — along with invoices and other documents linked to the event — were stored on a cloud server that required no password to access. According to Roni Suchowski, a freelance security researcher and consultant who discovered the trove, the files were publicly accessible through a simple web browser.
The exposed material, he said, remained available for at least two months. Previous attempts to alert organisers were unsuccessful, prompting him to contact the Financial Times, which reviewed a sample of the files. One attendee, reacting to news of the lapse, described it as a “massive data breach” and said it was “pretty appalling.”
Abu Dhabi Finance Week, known as ADFW, has become a centrepiece of the emirate’s effort to position itself as a global financial hub. Organised by ADGM, Abu Dhabi’s financial centre, the event claimed that “total assets represented during the week surpassed $62tn.”
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
High-Profile Names in the Files
Among those whose identity documents were exposed were Lord David Cameron, the former British prime minister; Alan Howard, the billionaire hedge fund manager; and Anthony Scaramucci, the U.S. investor and former White House communications director, according to documents reviewed by the Financial Times.
Other prominent individuals included Richard Teng, co-chief executive of the crypto exchange Binance and former chief of ADGM, and Lucie Berger, the European Union’s ambassador to the United Arab Emirates. Representatives for Cameron, Howard, Berger and Teng declined to comment. Scaramucci also declined to comment.
ADFW has previously said that speakers at the event included several U.A.E. government ministers and senior executives from major financial institutions such as UBS, Blackstone, Standard Chartered, Barclays, Morgan Stanley, Temasek, Bridgewater, Carlyle and Man Group. Representatives from crypto companies including Tether and Crypto.com also attended.
The conference in December was attended by Abu Dhabi’s crown prince, Sheikh Khaled bin Mohammed bin Zayed al-Nahyan, and was widely promoted on social media as a showcase for the emirate’s expanding financial ecosystem.
Discovery and Disclosure
Suchowski said he identified the exposed server using off-the-shelf software designed to scan cloud services for unsecured data. The cache included passport scans and identification cards among tens of thousands of publicly accessible files.
“Responsible disclosure is crucial” in cases of data exposure, Suchowski said. “The goal is always to notify the organisation privately and give them the opportunity to fix the issue before it is abused.”
Complete passport scans, he added, can be valuable to fraudsters operating on the dark web. Combined with other personal information, they may be used to steal identities, conduct highly personalised phishing attacks or gain unauthorised access to online accounts.
Neil Quilliam, an associate fellow in the Middle East and North Africa Programme at Chatham House, described the lapse as a “blunder,” saying such a “basic and simple” error “runs counter to how the state likes to present itself.”
Official Response and Broader Implications
In a statement, ADFW confirmed “a vulnerability in a third-party vendor-managed storage environment relating to a limited subset of ADFW 2025 attendees.”
“ADFW takes, and has always taken, data protection and platform security extremely seriously, and any breaches of security are also taken with utmost seriousness,” the statement said.
“The environment was secured immediately upon identification, and our initial review indicates that access activity was limited to the researcher that identified the issue.”
ADFW said it had contacted affected attendees to inform them of the data breach. Cybersecurity experts said the exposure risked damaging the reputation of a Gulf state that regularly hosts high-profile conferences and emphasises the strength of its security operations.
For Abu Dhabi, which has sought to attract hedge funds and asset managers to its fast-growing financial centre, the incident unfolded against a backdrop of intense competition among global hubs for capital and influence. The conference was intended as a showcase of stability and ambition. Instead, for at least several weeks, a sensitive record of its most prominent participants was left open to the internet.
