Stay updated with free updates
just sign up Cyber security myFT Digest – delivered straight to your inbox.
The passports and other identity documents of hundreds of attendees of Abu Dhabi’s major investment conference have been exposed online, compromising the security of high-profile individuals involved in international finance, politics and crypto.
Scans of more than 700 passports and state identity cards were found on an unsecured cloud storage server linked to Abu Dhabi Finance Week, a state-sponsored event that hosted more than 35,000 attendees in December.
Those whose identity documents were exposed included former British Prime Minister Lord David Cameron; billionaire hedge fund manager Alan Howard; and American investor, podcaster and former White House communications director Anthony Scaramucci, according to documents reviewed by the FT.
According to Ronny Suchowski, the freelance security researcher and consultant who discovered it, the exposed data was publicly accessible to anyone using a simple web browser. The FT contacted ADFW about the leak on Monday, after which the server was secured.
Cybersecurity experts said the data breach risks damaging the reputation of the Gulf state, which regularly hosts high-profile conferences and rewards its security work.
ADFW has become the emirate’s showcase for the global financial community as it seeks to attract hedge funds and asset managers to its fast-growing financial hub. It is organized by Abu Dhabi’s financial hub ADGM, which claimed “the total assets represented during the week surpassed $62tn”.
ADFW confirmed “a vulnerability in a third-party vendor-managed storage environment related to a limited subset of ADFW 2025 attendees.”
“ADFW takes and has always taken data security and platform security extremely seriously, and any breach of security is also taken extremely seriously,” it said in a statement.
“The environment was secured immediately after identification, and our initial review indicates that access activity was limited to the researcher who identified the issue.”
ADFW said it contacted affected attendees to inform them of the data breach.
Other high-profile individuals who have revealed their details include Richard Teng, co-chief executive of crypto exchange Binance and former CEO of ADGM, and Lucie Berger, the EU ambassador to the UAE, according to a small sample of files reviewed by the FT.
Scaramucci and representatives for Cameron, Howard, Berger and Teng declined to comment.
The ADFW event in December was attended by Abu Dhabi’s Crown Prince Sheikh Khalid bin Mohammed bin Zayed Al Nahyan and was widely publicized on social media.
ADFW previously said speakers included several UAE government ministers and senior executives from financial companies including UBS, Blackstone, Standard Chartered, Barclays, Morgan Stanley, Temasek, Bridgewater, Carlyle and Man Group, while representatives from crypto companies such as Tether and Crypto.com also attended.
Suchowski discovered the leak using off-the-shelf software that scans cloud services for insecure data. He said the cache of data, which included passports and ID cards among thousands of publicly accessible files including ADFW invoices, was likely to have been exposed for at least two months. The researcher said previous attempts to alert the ADFW had been unsuccessful, prompting him to contact the FT.
“Responsible disclosure” of data breaches is critical to protecting those affected, Suchowski said. “The goal is always to notify the organization privately and give the organization an opportunity to fix the problem before it becomes an abuse.”
Full passport scans can be valuable to fraudsters operating on the dark web. These can be used by criminals in combination with other personal details to steal identities, develop highly personalized phishing attacks, or gain unauthorized access to online accounts.
Neil Quilliam, associate fellow at Chatham House’s Middle East and North Africa programme, said the ADFW cyber security breach was a “mistake”. He said such a “fundamental and simple” error was “contrary to how the state likes to present itself.”
An ADFW attendee expressed surprise at what it described as a “massive data breach” and described it as “pretty horrifying.”
