Jakub JirsÃ¡k - stock.adobe.com
An apparent U.S. government terrorism watchlist was found exposed to the open internet.
Security researcher Bob Diachenko discovered the data in an exposed Elasticsearch cluster and reported the list to the FBI. It has since been taken down.
According to a LinkedIn post from Diachenko, cyber threat intelligence research director at Discover Security, the list contained basic information on both American and international citizens who were deemed to be of interest to the government over risk of terrorism. Diachenko says that server was discovered and reported on July 19, with the takedown completed on Aug. 9.
Comprising around 1.9 million records, the database was stored inside an Elasticsearch server that had not been configured to have any sort of password protection. The records included basic info such as names, dates of birth and countries of citizenship, as well as more sensitive information including passport numbers and whether that individual was also on the Transportation Security Administration's no-fly list.
Diachenko said in his LinkedIn post that the database was originally created by the FBI-led Terrorist Screening Center, an operation that also involves the Department of Homeland Security (DHS). The DHS referred request for comment to the FBI, whose spokespersons could not be reached to comment on the matter.
Diachenko told SearchSecurity that it is difficult to know exactly how long the database was exposed online, and just who might have had access to it before being taken down.
"It is hard to tell for how long this list had been up before it got indexed by search engines," he explained. "But it was definitely up for three-plus weeks before being taken down by authorities or the hosting provider itself (after my responsible disclosure) -- so there is a decent chance that it hit the radar of someone else."
If there is any good news for those individuals whose information was exposed by the leak, it is that in many cases they likely already knew they were on the list. According to a 2015 policy change, the DHS has to notify any U.S. citizen that they have been added to the watchlist. This does not apply to foreign citizens, however, so many of those who live outside the U.S. likely had no formal notification they were on this list.
The FBI would not be the first government entity to suffer a data leak thanks to a misconfigured cloud server; in 2017, an exposed AWS S3 bucket containing U.S. Department of Defense data was discovered. Poorly-configured storage buckets and databases are also one of the top causes of customer data loss, with companies having lost hundreds of millions of account records thanks to servers that were not set for password protections or authentication requirements of any kind.