A misconfigured Elasticsearch (opens in new tab) cluster exposed sensitive personal details of two million individuals, included in what cybersecurity (opens in new tab) researchers believe to be a highly confidential database (opens in new tab).
Volodymyr Diachenko, Head of Security Research at Comparitech, was responsible for the discovery of the records, which appear to form the basis of a terror watch list. The database was left exposed online, without even password (opens in new tab) protection.
“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country's no-fly list, which is a subset of the larger watchlist,” claims Diachenko (opens in new tab).
- These are the best database software (opens in new tab)
- Here’s our list of the best cloud databases (opens in new tab) on the market
- Also check our roundup of the best database design software (opens in new tab)
Diachenko reported the find to the Department of Homeland Security (DHS), which thanked him for bringing it to its attention, but did not claim ownership of the exposed records. The data was accessible for a further three weeks, before the server it resided on was taken down.
Abandoned data?
Diachenko’s team routinely scans the web for misconfigured and easily accessible databases that contain personal information. When they find one, they try to determine its ownership, and then contact the entity that owns the database to implement proper protections.
In the case of this particular exposed Elasticsearch cluster, Diachenko claims it contained 1.9 million records with each record listing various personally identifiable information (PII) and other sensitive details, such as an individual’s name, date of birth, citizenship, passport number, no-fly indicator and more.
The exposed server was indexed by the Censys and ZoomEye search engines, and could have been accessed by anyone in the three weeks it was available online.
The FBI did not immediately return TechRadar Pro's request for comment.
Update: 10:00 ET / 15:00 BST
The FBI has confirmed it will not comment on the story at this time.
- These are the best data loss prevention services (opens in new tab)