Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
Passports and other identity documents belonging to hundreds of attendees of Abu Dhabi’s flagship investment conference have been exposed online, compromising the security of high-profile individuals from international finance, politics and crypto.
Scans of more than 700 passports and state identity cards were discovered on an unprotected cloud storage server associated with Abu Dhabi Finance Week, a state-sponsored event that hosted more than 35,000 attendees in December.
Among those whose identity documents were exposed were Lord David Cameron, the former British prime minister; Alan Howard, the billionaire hedge fund manager; and Anthony Scaramucci, the US investor, podcaster and former White House communications director, according to documents reviewed by the FT.
The exposed data was publicly accessible to anybody using a simple web browser, according to Roni Suchowski, the freelance security researcher and consultant who discovered it. After the FT approached ADFW about the leak on Monday, the server was made secure.
Cyber security experts said the data lapse risked damaging the reputation of the Gulf state, which regularly hosts high-profile conferences and prizes its security operations.
ADFW has become the emirate’s showcase for the global financial community as it seeks to attract hedge funds and asset managers to its fast-growing financial centre. It is organised by ADGM, Abu Dhabi’s financial centre, which claimed that “total assets represented during the week surpassed $62tn”.
ADFW confirmed “a vulnerability in a third-party vendor-managed storage environment relating to a limited subset of ADFW 2025 attendees”.
“ADFW takes, and has always taken, data protection and platform security extremely seriously, and any breaches of security are also taken with utmost seriousness,” it said in a statement.
“The environment was secured immediately upon identification, and our initial review indicates that access activity was limited to the researcher that identified the issue.”
ADFW said it had contacted the affected attendees informing them of the data breach.
Other high-profile individuals to have their details disclosed included Richard Teng, co-chief executive of crypto exchange Binance and former CEO of ADGM, and Lucie Berger, the EU’s ambassador to the UAE, according to the small sample of files reviewed by the FT.
Scaramucci and representatives for Cameron, Howard, Berger and Teng declined to comment.
The ADFW event in December was attended by Abu Dhabi’s crown prince, Sheikh Khaled bin Mohamed bin Zayed Al Nahyan, and widely promoted on social media.
ADFW said previously that speakers included several UAE government ministers and senior executives from financial firms including UBS, Blackstone, Standard Chartered, Barclays, Morgan Stanley, Temasek, Bridgewater, Carlyle and Man Group, while representatives from crypto companies such as Tether and Crypto.com also attended.
Suchowski discovered the leak using off-the-shelf software that scans cloud services for unsecured data. The cache of data, of which passports and ID cards were among tens of thousands of publicly accessible files, including ADFW invoices, was likely exposed for at least two months, he said. The researcher said previous attempts to warn ADFW were unsuccessful, prompting him to contact the FT.
“Responsible disclosure is crucial” for data breaches in order to protect those affected, Suchowski said. “The goal is always to notify the organisation privately and give them the opportunity to fix the issue before it is abused.”
Complete passport scans can be valuable to fraudsters operating on the dark web. They can be used by criminals in conjunction with other personal details to steal identities, develop highly personalised phishing attacks or gain unauthorised access to online accounts.
Neil Quilliam, an associate fellow on Chatham House’s Middle East and North Africa Programme, said ADFW’s cyber security breach was a “blunder”. He added that such a “basic and simple” error “runs counter to how the state likes to present itself.”
One ADFW attendee expressed shock at what they described as a “massive data breach”, calling it “pretty appalling”.