I see what ya mean @jmc
On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.
The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.
I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.
Timeline of the exposure
On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.
The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.
What data was exposed?
The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.
Each record in the watchlist contained some or all of the following info:
- Full name
- TSC watchlist ID
- Date of birth
- Passport number
- Country of issuance
- No-fly indicator
The data also included a couple of categorical fields that I was unable to identify, including “tag,” “nomination type,” and “selectee indicator”.
Notably, the database was found on a Bahrain IP address, not a US one.
Dangers of exposed data
The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harrass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.