It’s been reported that Abu Dhabi’s flagship investment conference, Abu Dhabi Finance Week (ADFW), suffered a data leak wherein a security researcher was able to access a cloud instance hosting the passports and IDs of hundreds of its attendees, which included prominent figures like former UK PM David Cameron, former white-house spokesperson Anthony Scaramucci, and numerous other politicians and business leaders. Closed Door Security responds below.
After being contacted by the FT, the cloud instance was secured and ADFW claimed the data had only been accessed by the researcher who discovered the leak; despite this, the researcher claims his warnings were originally ignored, leaving the data publicly accessible and at risk for up to two months.
Data leak at Abu Dhabi finance summit exposes politicians and business leaders – The FT
Cassius Edison, COO of Closed Door Security, says “This leak represents a huge failure in operational security, and an embarrassing one: to host a conference of prominent politicians and business leaders, and to not ensure their data is held securely in the most basic way is a huge blunder on the part of Abu Dhabi Finance Week (ADFW). Had this data been accessed and stolen by criminals or malicious actors, it could’ve destroyed the conference’s credibility entirely.
“ADFW claimed that the leak was due to a ‘a vulnerability in a third-party vendor-managed storage environment’, but the researcher who discovered the data was able to find and access the server with standard scanning software, which suggests it was more likely a basic cloud management misconfiguration than any serious exploit.
“Even if a proper vulnerability was involved, this doesn’t excuse ADFW. When it comes to storing sensitive data, especially for such high-profile figures, organisations need to do due diligence, and have as thorough a grasp of their attack surface as they can. Understanding your attack surface means being aware of and trying to mitigate even marginal vulnerabilities. Fundamentally, the data in this instance should not have been so easily accessible.
ADFW secured the server hosting the data after being contacted by the FT, and claimed no one else has accessed it. Hopefully this latter point is true. The server and data were potentially accessible for up to two months, and the researcher’s warnings were apparently ignored by ADFW until he went to the FT. If this is true, it suggests a seriously negligent attitude to basic security.”
For more cybersecurity news, click here
