Security researcher Chris Vickery has a knack for finding unprotected databases, but this time it’s an especially explosive discovery, as he came across a “terrorism blacklist” that contains the names of 2.2 million “heightened-risk individuals and organizations.”
Vickery asked Reddit if he should share a copy of the Thomson Reuters World-Check database from mid-2014. He wrote, “This copy has over 2.2 million heightened-risk individuals and organizations in it. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.”
As Vice News previously pointed out about the “terrorism blacklist” (pdf), “it is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, pre-employment vetting agencies and nine of the top 10 global law firms. It provides ‘an early warning system for hidden risk.’” A current version of the database lists 93,000 people suspected of having ties to terrorism.
While Vickery didn’t reveal the precise details of how he found the unsecured database, or name the third-party organization that took zero precautions to protect it, he said he didn’t obtain the database by hacking. (He usually uses Shodan to find exposed databases that people recklessly put online without any security to protect them.) He called it “more of a leak than anything, although not directly from Thomson Reuters.”
Vickery laid out some of the pros and cons for releasing the database, which is reportedly compiled from public sources. Releasing it would give innocent people, as well as actual bad guys, a heads-up about being listed in it. Both the BBC and Vice have reported on how inaccurate the terrorism database can be. For it to become public, Vickery suggested there could be harmful fallout for innocent individuals mistakenly listed.
Then there is the fact that Thomson Reuters most likely wouldn’t like it if its high-dollar list became free public knowledge. Indeed, Thomson Reuters saw the post, contacted Vickery and then looked up the notification he submitted to the company about finding the leak. Thomson Reuters took exception to the “blacklist” characterization and claimed not just anyone can subscribe to World-Check; there is a vetting process for those who can afford to subscribe.
Vickery told The Register, “As far as I know, the original location of the leak is still exposed to the public internet. Thomson Reuters is working feverishly to get it secured.”
It’s unknown if Vickery will release the “terrorism blacklist” to the public. Many comments on r/privacy suggest handing it over to reputable news outlets to be vetted. As is often the case, however, certain reporters get to see all the leaked documents while reporting only on some of them.
Other people want to know if they have been wrongly labeled in a database that they can’t see but law enforcement and other entities can. If it goes public, then it gives everyone the chance to see. Yet some others believe the risk to people's privacy is too great. As you can see from the example given in Thomson Reuters risk-screening documentation, a great deal of personal information is included in a named individual’s profile.
Even if the database is 2 years old, if it is like government watchlists, then once you get put on it, it is nearly impossible to get off. So do you think he should share it with the public?
Whether he does or doesn't, Vickery wrote:
At the very least, this should jump-start a little online conversation regarding the appropriateness of having private entities maintain lists utilized by government agencies and banks.