700+ passport scans exposed at Abu Dhabi Finance Week, reports say. Here’s the vendor mistake behind it

This Abu Dhabi Finance Week leak is a vendor risk case study, not a cyber mystery 

The Financial Times and Reuters reported that a cloud environment linked to a third-party event vendor left scans of more than 700 passports and state identity documents accessible online via a web browser. The leak was discovered by security researcher Roni Suchowski, and the event reportedly hosted 35,000+ attendees in December.  

Organizers said the environment was secured after the issue was flagged and suggested initial review indicated limited access.  

The reason it matters is what it says about accountability when your data moves into vendor-run systems. 

What was exposed at Abu Dhabi Finance Week, and why it is a big deal 

This was not “contact details in a spreadsheet.” The reporting describes passport and ID scans, plus other highly sensitive documents like invoices.  

Identity documents are considered high-blast-radius data. In other words, once a scan is out in the wild, the risk is not just theoretical embarrassment. It can enable identity fraud, targeted phishing, and account takeover attempts that rely on document verification.  

The nature of these documents and the potential for last consequences is why the FT described the oversight as especially damaging in a setting designed to project credibility and trust.  

Why is the Abu Dhabi Finance Week leak a vendor risk case study?  

The reporting on this event is pretty explicit that the exposed storage sat in a third-party vendor-linked environment. That single detail changes the whole lesson. 

In practice, large events are vendor ecosystems: registration systems, ticketing, check-in tools, badge printing, identity verification, attendee apps, QR scanning, hospitality providers, and outsourced support teams. This means that even if the organizer has strong internal controls, a vendor can spin up a “temporary” environment that becomes production by accident, and it only takes one misconfiguration to create a public leak. 

Technology reporter, Jai Vijayan, summarizing the FT reporting, noted the researcher apparently used common scanning tools to find publicly accessible cloud data. That is part of what makes this incident so uncomfortable: you do not need a sophisticated exploit when the data is already exposed. 

Why a cyber leak ‘fix’ is often not enough?  

Most incident statements include a version of: we secured the system and believe access was limited. Reuters reported organizers took that line here.  

But from a governance perspective, the question is always the same: can you prove who accessed what, and when? 

If a vendor environment has weak logging, short log retention or no monitoring, your best answer becomes “we believe.” That is not a comfort to regulators, executives or the people whose passports were exposed. 

This is why unsecured cloud buckets keep showing up in headlines… 

The UK’s National Cyber Security Centre wrote back in 2019 that it felt like every month brought a new announcement of a data leak from an improperly secured storage bucket. This point has not aged out.  

If anything recent headlines show that this issue is more front of mind than ever. For example;  

• In February 2026, TechRadar reported an Android AI app exposed nearly two million user photos and videos after a misconfigured Google Cloud storage bucket left files accessible without authentication.  

• In 2021, Volkswagen announced that  vendor exposure impacted 3.3 million people in North America.  

• In the US, ITPro reported that a recruiting software firm exposed nearly 26 million files after leaving a misconfigured Azure container open 

Different industry, different data, same theme: third parties create an extra surface area that is easy to underestimate. And misconfiguration is still one of the most common ways sensitive data becomes public, because the failure mode is boring and human: permissions, defaults, rushed deployment, unclear ownership. 

This is also why “third-party risk” is not just procurement paperwork. In interconnected systems, risk spreads. Research explains this as risk propagation across a supply chain and highlights the incentive problem: if no one forces coordination, weaker parties can underinvest while everyone shares the downside. ¹

This point is only exacerbated by the survey statistic that 59% of organizations experienced a breach caused by one of their vendors.  

Even if you treat that as directional rather than absolute, it still reinforces the basic truth: vendor environments are not edge cases. They are where breaches often start. 

The cost reality of data breaches in the UAE region is not small 

In IBM’s Middle East study (Saudi Arabia + UAE combined), the average total cost of a data breach is reported as US$7.29 million, with an average cost per lost or stolen record of $194.  

Other reporting cites an average of 255 days to identify a breach and 78 days to contain it after identification.  

Those numbers matter in a story like this because even if the technical fix is quick (lock down the storage), the organizational work is not. Investigations, notifications, legal review, stakeholder comms, and reputational cleanup can drag on for months. 

A quick overview of the Abu Dhabi data leak through a compliance process lens 

Because Abu Dhabi Finance Week is associated with ADGM in the reporting, there’s a simple operational consequence: your breach readiness cannot stop at your third parties. 

Personal data breaches must be notified to the Commissioner for Data Protection within 72 hours, and it processors are expected to operate under contract and follow the controller’s instructions with appropriate protective measures. ²

That matters because in real incidents, the first notification often comes from outside your team. A vendor spots an exposed bucket. A researcher emails a generic inbox. Someone posts a screenshot. If you cannot escalate, preserve evidence (especially logs), and make decisions fast, you lose control of the narrative and you lose time you may not have. 

This is not unique to the UAE. For example, the UK’s Information Commissioner’s Office captures the same principle in plain language: if you use a processor and it suffers a personal data breach, the processor must inform the controller “without undue delay” once it becomes aware. 

Put simply: if a vendor is holding identity documents on your behalf, your notification clock and your evidence trail still need to work end-to-end. The “vendor found it first” scenario is not a special case. It’s the default. 

What compliance and security teams should take from the Abu Dhabi story 

This is not a “UAE-specific” issue. It is an ecosystem issue. 

The takeaway is simple and slightly brutal: if your controls only exist in a contract, they do not exist. You need proof in production. 

That means, at minimum: 

• You know exactly which vendors touch identity documents, and why. 

• Identity scans are minimized, time-limited, and deleted on a schedule. 

• Storage is private-by-default, access is least privilege, and logs exist long enough to answer hard questions. 

• Vendor environments are monitored continuously for exposure and permission drift. 

• When something goes wrong, escalation and notification work on day one, not day twenty. 

That is the difference between “we secured it” and “we can prove it.” 

 

 Want to hear how we can help?  

FAQ on the Abu Dhabi Finance Week leak

Resources and further reading

1. Li, Y. and Xu, L. (2021) ‘Cybersecurity investments in a two-echelon supply chain with third party risk propagation’, International Journal of Production Research, 59(4), pp. 1216–1238. ↩︎
2. El Masry, M. and Jackson, C. (2021) ‘Privacy and protection: data in the Abu Dhabi Global Market’, International Financial Law Review, London. ↩︎