Abu Dhabi Finance Week Data Leak exposes ex-UK Prime Ministers Passport

A recent incident linked to Abu Dhabi Finance Week shows how quickly a single security gap can turn into a reputational and operational crisis.

Reuters has reported that scans of more than 700 passports and state identity cards were found on an unprotected cloud storage server connected to the event, making the data accessible via a simple webbrowser. The leak reportedly affected a limited subset of attendees and the organisers said it related to a vulnerability in a third-party vendor-managed storage environment, secured immediately after it was identified. 

For the UAE and the wider GCC, the message is blunt: as the region hosts more flagship summits, attracts global capital and brings senior government and business leaders into one place, the impact of weak cyber controls grows. No organisation is “too big” or “too important” to be exposed by a basic misconfiguration or supplier mistake.

Why the fallout can be severe

When identity documents and travel information leak, the risk is not theoretical. It can trigger:

• Identity fraud and financial crime, using genuine documents to bypass onboarding checks

• Highly targeted phishing, where attackers reference real passport data, travel dates or event attendance to build trust

• Executive risk, including impersonation attempts against VIPs and their offices

• Long tail reputational damage, especially for organisations positioning themselves as secure and world-class hosts

In this case, the organiser’s statement points to third-party storage as the source of the vulnerability. That matters because many high-profile events, ministries, regulators, banks and sovereign wealth ecosystem partners rely on external providers for registration, accreditation, logistics, travel support and identity verification. If the supplier’s environment is misconfigured, your brand still carries the damage.

Why this matters for the GCC, now

Across the GCC, major initiatives are accelerating digital transformation at national scale. The UAE, Saudi Arabia and Qatar in particular are hosting more global events, more delegations and more cross-border dealmaking than ever.

That creates three compounding realities:

1. More sensitive data is being collected (IDs, visas, biometrics, access passes, hotel manifests, VIP movement plans)

2. More vendors are involved (event platforms, badge printing, cloud storage, identity verification, PR agencies)

3. More motivated threat actors are watching (financial crime groups, ransomware crews and state-linked operators)

The practical lessons: what boards, CISOs and programme owners should take from this

If you are responsible for an event, a government programme, a regulator, a bank or a large enterprise in the GCC, the controls that matter most are often the unglamorous ones:

• Data minimisation: only collect what you truly need and delete it fast

• Cloud configuration discipline: private by default, least privilege, MFA, logging, alerting and continuous posture monitoring

• Vendor assurance that goes beyond a tick box: security requirements in contracts, evidence of controls, audit rights and breach notification timelines

• Separation of environments: attendee data should not sit in a general-purpose bucket with weak access controls

• Incident readiness: assume exposure is possible and rehearse response, communications and regulator engagement

This is exactly where capability gaps show up, not only in tooling but in governance, architecture and day-to-day operational practice.

What this means for cybersecurity training in the UAE, Saudi Arabia, Qatar and across the GCC

The quickest way to reduce real-world cyber risk is to build practical capability at every level, from technical teams to leadership.

At MENA Executive Training, we deliver cybersecurity training across the GCC with programmes designed for government, critical infrastructure and enterprise teams in the UAE (Abu Dhabi, Dubai), Saudi Arabia (Riyadh, Jeddah), Qatar (Doha), Kuwait (Kuwait City), Bahrain (Manama) and Oman (Muscat).

We offer 55 cybersecurity courses spanning core security foundations, security architecture, cloud security, governance, risk and compliance and incident response. For organisations responding to incidents like this, three pathways often make the fastest difference:

• CISSP (ISC2) for security leadership, risk management and programme-level thinking

• Microsoft Certified: Cybersecurity Architect Expert (SC-100) for Zero Trust-aligned security architecture across Microsoft environments

• ISO/IEC 27033 Network Security for designing and governing secure networks and connections in complex, vendor-heavy environments

If your organisation is preparing for a major event, expanding globally or tightening supplier oversight, these are the kinds of role-based programmes that help teams prevent misconfigurations, challenge vendor assurances and spot dangerous gaps earlier.

To see all our CyberSecurity courses click here.