A terrorist watchlist with almost 2 million records was exposed online. The list was left open in an Elasticsearch cluster with no password.
It was found by Security Discovery’s researcher Bob Diachenko.
The massive database breach revealed sensitive information about almost 2 million people. This list included their names, country of birth, passport details, gender, no-fly status, and more.
The server was indexed by search engines Censys and Google Earth, which indicated that Diachenko might not have been the only one to find the list.
The researcher believes that the list was leaked by a government agency or a third-party entity. However, it is not confirmed if the list belonged to a U.S. government.
It included sensitive information such as passport details and “no_flight_indicator,” which made the researcher think it was a no-fly or a similar terrorist watchlist.
“That was the only valid guess given the nature of data plus there was a specific field named ‘TSC_ID’,” Diachenko told BleepingComputer, and suggested the source of the records could be the Terrorist Screening Center (TSC).
The FBI’s Terrorist Screening Center Database is used by airlines and multiple federal agencies to collect and share information related to counterterrorism activities. It is used to check if a passenger is permitted to fly to the US. It also includes information about the individual’s risk of other activities. This database is considered highly sensitive due to its role in helping law enforcement agencies carry out their duties.
The researcher discovered the database leak on July 19, 2021. He immediately reported the incident to the authorities. The exposed server was taken down about three weeks later.
“The TSC watchlist is highly controversial. The ACLU, for example, has for many years fought against the use of a secret government no-fly list without due process,” continued the researcher.
The researcher noted that this data leak could affect the ability of law enforcers to track and apprehend individuals suspected of illegal activities.
“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” says the researcher.