Confidential terror watchlist exposed online

By Mayank Sharma
last updated

The server hosting the database was online for three weeks before it was taken down

Networks
(Image credit: Shutterstock)

A misconfigured Elasticsearch (opens in new tab) cluster exposed sensitive personal details of two million individuals, included in what cybersecurity (opens in new tab) researchers believe to be a highly confidential database (opens in new tab).

Volodymyr Diachenko, Head of Security Research at Comparitech, was responsible for the discovery of the records, which appear to form the basis of a terror watch list.  The database was left exposed online, without even password (opens in new tab) protection.

“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country's no-fly list, which is a subset of the larger watchlist,” claims Diachenko (opens in new tab)

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

Diachenko reported the find to the Department of Homeland Security (DHS), which thanked him for bringing it to its attention, but did not claim ownership of the exposed records. The data was accessible for a further three weeks, before the server it resided on was taken down.

Abandoned data?

Diachenko’s team routinely scans the web for misconfigured and easily accessible databases that contain personal information. When they find one, they try to determine its ownership, and then contact the entity that owns the database to implement proper protections. 

In the case of this particular exposed Elasticsearch cluster, Diachenko claims it contained 1.9 million records with each record listing various personally identifiable information (PII) and other sensitive details, such as an individual’s name, date of birth, citizenship, passport number, no-fly indicator and more.

The exposed server was indexed by the Censys and ZoomEye search engines, and could have been accessed by anyone in the three weeks it was available online.

The FBI did not immediately return TechRadar Pro's request for comment. 

Update: 10:00 ET / 15:00 BST
The FBI has confirmed it will not comment on the story at this time.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

See more Computing news