By Yazen Rahmeh, a Cybersecurity Expert at SearchInform

Digital transformation across the UAE and Saudi Arabia brings new opportunities and prospects for enhancing efficiency and growth. However, it also causes new challenges to data protection. As digital environments expand, data spreads across endpoints, cloud storage, and internal environments, escaping oversight by security and compliance teams.

This is shadow data, and it may be one of your organization’s most underestimated risk.

What Is Shadow Data?

Despite all efforts, some business data can be stored and processed outside official IT systems. As a result, a company won’t even know that such datasets exist.

There are a lot of reasons behind the creation of shadow data. Basic examples are:

• Files stored in personal accounts. An employee can send important files to personal email or cloud storage “just in case.”
• Access to corporate data from personal devices. A person can log in to corporate cloud services from a personal tablet or laptop. As a result, sensitive documents can be downloaded to a personal device.  This usually happens when someone is working overtime or wants to keep important files readily available.
• Unaccounted copies of sensitive data. An employee can simply copy and paste records from a CRM system or a customer spreadsheet into a file on their workstation. As a result, sensitive data may bypass security controls, increasing the risk of data leakage.
• Some business units can adopt SaaS services without oversight. Employees usually do it to boost their productivity or if whitelisted tools are perceived as slow or bulky.
• Test datasets and temporary databases. Sometimes confidential data can duplicate during migration from one service to another or if developers use production data for test or development environments.

These examples may seem abstract, but the recent Cybersecurity and Infrastructure Security Agency (CISA) data leak shows that shadow data is a real-world threat.

The leak reportedly originated from a contractor’s GitHub repository, which was being used as a working scratchpad. The repository exposed various sensitive records, including AWS keys and plaintext passwords for internal CISA systems. An individual had simply copied sensitive data to make their work more convenient. To do so, the contractor disabled GitHub’s default security setting that prevents users from publishing secrets in public repositories.

Why Shadow Data Is a Business Risk

Increased Risk of Data Leaks

Consider a common scenario: an employee stores confidential data on a personal laptop or cloud service. As a result:

• Sensitive records could be stolen via phishing or malware, as the laptop isn’t protected by enterprise-grade security controls.
• An employee could share the laptop with other individuals. Shared devices increase the risk of data exposure.
• Unauthorized cloud backups. An employee may configure automatic file backups to a cloud service. As a result, sensitive data can leave the protected perimeter and be duplicated in cloud storage, increasing the risk of unauthorized access or data leakage.

That’s how a small and seemingly irrelevant piece of ungoverned data could lead to a major incident. In fact, in 2024, one in three data breaches involved shadow data, according to IBM’s Cost of a Data Breach 2024 report.

One of the most recent cases of data leaks, involving shadow data, is the Abu Dhabi Finance Week exposure. An independent researcher discovered unsecured cloud storage with ID details.

Event representatives stated that only the researcher accessed the data and that the incident affected a limited number of participants. According to them, the issue was caused by a misconfigured cloud storage system managed by a third-party provider.

The incident is the perfect example of shadow data, as the data was copied outside of secured corporate infrastructure and had been left unmanaged.

Regulatory Pressure

Shadow data also presents compliance risks. When using a cloud service, it is essential to verify the geographic location of the data center where the data is stored. Data could be stored at a data center in a different country if you didn’t specify a server location.

As a result, if shadow data includes confidential records such as customer details or transaction records, it will be transferred and stored abroad. From a legal perspective, such misconfiguration is a cross-border transfer and lead to regulatory fines for violations of data protection regulations.

Saudi Arabia’s Personal Data Protection Law dedicates a lot of attention to data residency and cross-border transfers. Organizations, especially in regulated sectors, such as financial institutions, may be required to store certain categories of data within the Kingdom. Companies may need regulatory approval before transferring data to foreign data centers to avoid penalties.

Emirati businesses have less strict conditions for cross-border data transfers. However, there are limitations for banking, payments, healthcare, and telecom organizations and governmental entities. Companies from these industries must store confidential data, such as health records, payment transactions, and customer data, within the country.

Lack of visibility equals lack of control, and regulators do not accept invisibility as an argument.

How to Bring Shadow Data Under Control

Eliminating shadow data entirely is unrealistic. The goal is to make it visible and manageable without slowing down the business.

A Practical Starting Checklist

1. Discover regulated data, especially data subject to local PDPLs requirements, cybersecurity frameworks issued by National Cybersecurity Authority in the KSA, and Information Assurance Regulation by TDRA in the UAE. It is essential to identify all information that qualifies as confidential and valuable, incl. unaccounted copies of such data.
2. Map where this data is actually stored and shared, not just where it should be. Sensitive data can be stored on-prem or in cloud environments. Look for data discovery solutions. Ideally, choose a solution that combines data discovery and data classification, like DCAP software.
3. Classify files & distribute access rights. Use specialized tools to analyze file content and classify it in accordance with a local classification scheme. The next step is to assign user access rights to sensitive data based on employees’ roles and responsibilities.
4. Control data transfer channels, including cloud storage, SaaS tools, and USB-devices. Use DLP systems to prevent unauthorized spread of sensitive data. Advanced DLP solutions monitor cloud services, as well as traditional channels, such as email or web browsers.

Conclusion

Data protection is not a one-time initiative. It is an ongoing discipline. Security achieved today must still hold tomorrow — and next year.

Organizations that treat data security as a strategic investment, rather than a compliance obligation, build resilience, regulatory confidence, and long-term business stability.

Shadow data may be invisible. But its consequences are not.

OnTheList, the region’s members-only luxury flash sales platform, has announced a strategic partnership with Dubai Cares, a UAE-based global philanthropic organisation, to champion human development and community impact globally. To mark the launch, OnTheList will host the Charity Fashion Sale, a four-day fashion sample sale taking place from 9^th to 12^th June at Dubai Design District (d3), with OnTheList donating 100% of profits to Dubai Cares.

Having already impacted over 117 million lives across more than 60 developing countries, Dubai Cares is committed to advancing human development and youth empowerment globally. For OnTheList, this made the partnership a clear and natural fit. Partnering with an organisation of such scale and credibility was not a difficult decision for OnTheList. It was an obvious one.

Organised by OnTheList in collaboration with Dubai Cares, the Charity Fashion Sale offers shoppers exclusive access to heavily discounted pieces across menswear, womenswear and childrenswear. Brands featured include JACK & JONES, VERO MODA, ONLY, Name It and Selected, all part of the BESTSELLER Fashion Group.

“When thinking about what it means to build a brand in this region, it goes far beyond the sale itself. Partnering with Dubai Cares felt like the most honest expression of that, every purchase now carries a purpose that extends well beyond the checkout,” said Delphine Lefay, Co-Founder of OnTheList.

Speaking on the partnership, Amal Al Redha, Director of Partnerships at Dubai Cares said, “OnTheList has shown that retail and responsibility can go hand in hand. This partnership creates a meaningful opportunity to engage communities who want to give back and we are delighted to welcome them as partners in that mission”.

With OnTheList’s footprint growing rapidly across the UAE, the partnership puts one of the region’s most active retail communities directly in service of a global cause.

Event Details:

What: Charity Fashion Sale, presented by OnTheList in collaboration with Dubai Cares, and BESTSELLER | Where: Building 11, Dubai Design District (d3) | Dates: 9^th to 12^th June 2026 | Time: 8am to 8pm | Online sign up: https://otl.sale/oct2xm

This fundraising activity is licensed by the Islamic Affairs and Charitable Activities Department (IACAD) under the Permit No. PRHCE-005620890.

Yas Mall brought the spirit of community and appreciation to life on 20 May with the reveal of its Tree of Gratitude artwork; a special moment held as part of Yas Mall’s Week of Wonder.

Located in Yas Mall’s Town Square, the interactive installation invited visitors to share heartfelt messages of gratitude dedicated to the UAE and its leadership. Thousands of contributions became part of a growing digital artwork symbolising unity, reflection and national pride. The completed mosaic was officially unveiled, revealing a collective artwork inspired by the UAE flag and shaped by the voices of the community. Families and friends gathered to witness the moment, celebrating together in an atmosphere filled with appreciation and national pride.

The reveal was accompanied by a special live performance by the UAE Police Band, alongside traditional Al Ayallah performances that brought an added sense of celebration and cultural spirit to the evening. UAE flags were also distributed to visitors during the performances, creating a vibrant community moment as guests came together in tribute to the nation.

The activation formed part of Yas Mall’s wider Week of Wonder experience, which transformed the destination into an engaging space for discovery and shared experiences from 8 – 20 May.