It seems someone working at the FBI screwed up and posted a terrorist watchlist database online without any authentication required to view it.
Volodymyr “Bob” Diachenko, Head of Security Research at Comparitech, shared details of how he discovered the terrorist watchlist on July 19. It’s a list from the Terrorist Screen Center (TSC), which is administered by the FBI and forms part of a multi-agency group. The FBI describes the TSC as “a vital part of the U.S. Government’s counterterrorism early warning and interdiction network.”
The list contained 1.9 million records and anyone could view it if they stumbled across the Elasticsearch cluster it was stored on. The database was stored on an IP address in Bahrain for some unknown reason. Each of the records contained full name, TSC watchlist ID, citizenship, gender, date of birth, passport number, no-fly indicator, and country of issuance. As Diachenko explains:
“The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harrass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.”
He reported the security fumble to the Department of Homeland Security (DHS), who “acknowledged the incident and thanked me for my work.” Nothing else has been said by DHS since.
If the exposure of such a list wasn’t worrying enough, it then took three weeks for DHS to take it down, which allowed ample time for the data to be discovered and downloaded by other third parties. Diachenko suggests the data probably wasn’t available before July 19 as both the Censys and ZoomEye search engines indexed it the same day he discovered the unprotected database.
