Amer Owaida, Security Writer at ESET explains that in a bizarre turn of events the secret list was exposed online for three weeks, allowing anyone to access it without any kind of authentication.
A terrorist watchlist containing almost 2 million records sat exposed and unsecured on the internet for a period of three weeks between July 19th and August 9th. The watchlist is said to come from the Terrorist Screening Center (TSC), a multi-agency center managed by the Federal Bureau of Investigation (FBI).
The watchlist was discovered by security researcher Bob Diachenko on July 19th, who reported it to the Department of Homeland Security straight away. While the DHS did acknowledge the incident and thanked the researcher for his work, it did not elaborate on it any further, Diachenko wrote in a LinkedIn post that details his findings.
The TSC was created in 2003 in the aftermath of the September 11 attacks as a way for different governmental agencies and departments to share information on suspected terrorists. The Center is responsible for the management and operation of the Terrorist Screening Database (TSDB) and shares the information with homeland security, law enforcement, and intelligence agencies including the Department of State (DOS), Department of Defense (DOD), Transportation Security Administration (TSA), Customs and Border Protection (CBP), and in some cases select international partners as well.
Diachenko admitted that he wasn’t sure whether the list was accessed by any unauthorized parties. The exposed server was also indexed by search engines Censys and ZoomEye, which might suggest that the security researcher wasn’t the only one who saw the list. “The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.
The exposed records included several types of data including full names, TSC watchlist IDs, citizenship, gender, birth dates, passport numbers, country of issuance, and no-fly indicators. Diachenko also highlighted that the database was discovered on a Bahrain IP address rather than a US one.
The leakage of such sensitive data could spell potential problems for people whose information may have been part of the list, according to Diachenko. “The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he warned.