Abu Dhabi Finance Week 700+ VIP Passports Exposed via Cloud Misconfiguration

• .What: Passport scans and identity documents of 700+ VIP attendees left on an unauthenticated cloud storage server for two months.
• .Who: Abu Dhabi Finance Week 2025 attendees including former heads of state, billionaire fund managers, crypto executives, and diplomats. 35,000+ attendees from 175 nationalities representing $62 trillion in AUM.
• .How: Misconfigured third-party vendor-managed cloud storage with no access controls - discoverable via off-the-shelf scanning tools.
• .Data: Full passport scan pages, state identity cards, event accreditation records, contact details, invoices, and tens of thousands of operational documents.
• .Actor: N/A - this was organizational negligence and cloud misconfiguration, not a cyberattack.
• .Impact: Abu Dhabi government launched investigation; reputational damage to ADGM; regulatory fine exposure up to USD $54 million under ADGM DPR (2025 tier update).

Abu Dhabi Finance Week 2025, organized by Abu Dhabi Global Market (ADGM), took place December 8-11, 2025 at The Grand Steps on Al Maryah Island.

Held under the patronage of Crown Prince Sheikh Khaled bin Mohamed bin Zayed Al Nahyan, the fourth edition drew 35,000+ attendees from 175 nationalities, with 819 speakers across 394 sessions.

Attendees represented firms managing over $62 trillion in assets - equivalent to 53% of global GDP. The event featured CEOs from UBS, Blackstone, Barclays, Morgan Stanley, Carlyle, Temasek, Franklin Templeton, and Bridgewater, alongside crypto leaders from Binance, Coinbase, and Tether.

Binance received its first-ever global crypto exchange license under ADGM's framework during the event.

As part of attendee registration and accreditation, passport scans and state identity cards were collected from VIP delegates and stored in a cloud environment managed by an unnamed third-party vendor.

At some point during or after the event, this cloud storage was left without any access controls - no authentication, no password, no IP restrictions. The data sat publicly exposed for approximately two months, from roughly mid-December 2025 through mid-February 2026.

Freelance security researcher Roni Suchowski discovered the exposed storage using commercially available cloud scanning software - the type of tool that systematically enumerates publicly accessible cloud storage buckets. The specific cloud platform has not been disclosed.

Suchowski found scans of more than 700 passports and state identity cards, along with tens of thousands of additional documents including invoices and event operational files. He attempted to notify ADFW directly but was unable to get a response.

He then contacted the Financial Times.

On Monday, February 17, 2026, the Financial Times approached ADFW for comment. The server was secured that same day. " The Abu Dhabi government announced an immediate investigation. As of March 25, 2026, no findings have been published.

Cassius Edison, COO of Closed Door Security, assessed: "This leak represents a huge failure in operational security, and an embarrassing one."

There was no threat actor. This was a cloud misconfiguration by a third-party vendor, compounded by ADFW's failure to perform security oversight of its vendor environment and its failure to respond to a researcher's responsible disclosure attempts.

The data was not exfiltrated by an attacker - it was left in a state where anyone on the internet could access it with a standard web browser.

ADFW's claim that only the researcher accessed the data is unverifiable: if the storage had no authentication, it almost certainly had no access logging either.

Full passport scan pages of 700+ VIP attendees - containing photographs, full legal names, passport numbers, nationalities, dates of birth, places of birth, dates of issue and expiry, and machine-readable zones. State identity cards from multiple jurisdictions.

Event accreditation and registration records - full names, nationalities, contact details. Invoices and financial documents related to event operations. Tens of thousands of additional operational documents on the same server.

Confirmed exposed individuals: former UK Prime Minister Lord David Cameron; American investor Anthony Scaramucci (SkyBridge Capital); hedge fund billionaire Alan Howard (Brevan Howard); Binance CEO Richard Teng (former ADGM CEO, 2015-2021); and EU Ambassador to the UAE Lucie Berger.

Senior executives from UBS, Blackstone, Barclays, Morgan Stanley, and Tether were among the 819 speakers.

Why this data is uniquely dangerous: Passport numbers and biometric photographs cannot be changed - unlike stolen passwords or credit card numbers. Full passport scans enable identity cloning, fraudulent document creation, and bypassing bank KYC verification.

Combined with the publicly known fact that these individuals attended a finance summit managing $62 trillion in assets, the data creates a precise targeting package for whale phishing, extortion, physical kidnapping threats, and sophisticated social engineering against some of the world's wealthiest and most powerful individuals.

1. No access controls on cloud storage. The vendor's cloud storage was configured with public access - no authentication, no password, no IP whitelisting.

Every major cloud provider defaults to private access on new storage resources; public access requires deliberate configuration or active circumvention of default security settings.

2. No cloud security posture management (CSPM). Neither ADFW nor ADGM deployed automated tools to scan vendor environments for misconfigurations. A CSPM solution would have flagged a publicly accessible storage bucket containing identity documents within minutes.

3. No vendor security assessment. ADFW entrusted 700+ VIP passport scans to a third-party vendor without verifying cloud security controls. No evidence of pre-engagement security assessment, SOC 2 audit requirement, or ongoing security monitoring.

4. No data minimization or retention policy. Passport scans collected for event registration in December 2025 remained in cloud storage two months later. No automated or manual process existed to delete identity documents after the accreditation purpose was fulfilled.

5. No vulnerability disclosure policy (VDP). When researcher Roni Suchowski attempted to report the exposure directly, his attempts were ignored. ADFW had no published security contact, no bug bounty program, and no documented process for receiving vulnerability reports.

The breach was only remediated because a journalist made contact.

6. No access logging on the storage environment. ADFW's claim that "access activity was limited to the researcher" is unverifiable. Unauthenticated cloud storage typically generates no user-level access logs.

• .ADGM Data Protection Regulations 2021 - Section 4(1)(f) (Security Principle), Section 22(1)-(2) (Security of Processing), Sections 29-30 (72-hour breach notification to Commissioner), Section 32 (notification to data subjects for high-risk breaches). ADFW was unaware of the breach for two months, meaning the 72-hour notification window was missed by weeks. Fine exposure: up to USD $54 million under the 2025 two-tier penalty update. Enforcement body: ADGM Office of Data Protection. Precedent: only two enforcement actions in ADGM history (Okadoc Technologies, May 2024; VentureRock Global, June 2023).

• .UAE Federal PDPL (Federal Decree-Law No. 45/2021) - May apply to the third-party vendor if operating outside the ADGM free zone. Fines from AED 50,000 to AED 5 million (~USD 13,600 to ~USD 1.36 million). Unauthorized privacy infringement carries minimum six months' detention.

• .UK Data Protection Act 2018 / UK GDPR - Directly applicable: David Cameron is a UK citizen whose passport data was processed without adequate security. Extraterritorial application under Article 3(2). Fine exposure: up to GBP 17.5 million or 4% of annual global turnover. Enforcement body: ICO.

• .EU GDPR - Directly applicable: EU Ambassador Lucie Berger and other EU nationals among 175 nationalities. Extraterritorial application under Article 3(2). Fine exposure: up to EUR 20 million or 4% of annual global turnover.

• .Singapore PDPA - Richard Teng is Singaporean. PDPA applies to his personal data.

• .Switzerland revFADP - Likely Swiss attendees given UBS CEO Sergio Ermotti spoke. Personal criminal liability on individuals, up to CHF 250,000.

• .Saudi PDPL - Saudi nationals among attendees; Saudi government ministers spoke. Fines up to SAR 5 million.

• .Other MENA frameworks - Bahrain PDPL, Qatar PDPA, Oman PDPL, Egypt Data Protection Law all potentially applicable depending on nationality of affected attendees across 175 countries represented.

1. Enforce private-by-default cloud storage with automated guardrails. Deploy CSPM tools (Wiz, Orca, Prisma Cloud, or native provider tools) to continuously scan for publicly accessible storage. Alert and auto-remediate within minutes.

2. Mandate vendor security assessments. Require SOC 2 Type II certification, annual penetration testing, and evidence of encryption from any vendor handling passport-grade identity data. Include contractual security requirements with right-to-audit clauses.

3. Implement data minimization and automated deletion. Delete passport scans within 48 hours of event accreditation verification. The registration purpose does not require two-month retention of unprotected passport images.

4. Publish a vulnerability disclosure policy (VDP). Establish a security.txt file, a dedicated security contact, and a documented process for receiving vulnerability reports.

Suchowski's initial reports were ignored - a VDP would have reduced the exposure window from two months to days.

5. Deploy access logging on all storage environments. Enable server access logging and cloud provider audit trails on every storage bucket containing sensitive data. Without logs, ADFW cannot substantiate its claim that only the researcher accessed the data.

6. Conduct tabletop exercises for VIP data exposure scenarios.

Given the profile of ADFW attendees (heads of state, billionaires, diplomats), ADGM should conduct regular incident response exercises for identity document exposure, including coordination with affected individuals' personal security teams.

Financial Times, The National (UAE), Dark Reading, TechRadar, TechNadu, Cybernews, Middle East Eye, INCIBE-CERT, MIT Sloan ME, Security Magazine, Netcrook, American Bazaar, ADGM Media Office