Nearly 2 Million Records From Terrorist Watchlist Exposed Online

A terrorist watchlist comprising 1.9 million data remained open and unsecured on the internet for three weeks between July 19th and August 9th. The Terrorist Screening Center (TSC), a multi-agency centre run by the Federal Bureau of Investigation, is believed to have compiled the watchlist. The list was left accessible to the public on an Elasticsearch cluster with no password. 

In July this year, Security Discovery researcher Bob Diachenko discovered various JSON documents in an unsecured Elasticsearch cluster, which grabbed his interest. 

The 1.9 million-strong record set includes sensitive information about people, such as their names, nation citizenship, gender, date of birth, passport data, and no-fly status. 

Search engines Censys and ZoomEye listed the exposed server, implying Diachenko was not the only one who came across the list. Given the nature of the open data (e.g. passport details and “no-fly indicator”), the researcher informed BleepingComputer that it seemed to be a no-fly or similar terrorist watchlist. 

“The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed,” he added.

In addition, the researcher observed specific enigmatic fields like “tag,” “nomination kind,” and “selectee indication” that were not understandable. Diachenko told BleepingComputer, as per the nature of the data and the presence of a specific field entitled ‘TSC ID,” was the only reasonable conclusion implying that the record set’s source may be the Terrorist Screening Center (TSC). 

Multiple federal agencies use the FBI’s TSC to manage and exchange integrated information for counterterrorism reasons. The Terrorist Screening Database, often known as the “no-fly list,” is a secret watchlist managed by the agency. 

Such databases are regarded as extremely sensitive, given the critical role they play in assisting national security and law enforcement activities. Terrorists or reasonable suspicions who represent a national security threat at the government’s discretion are “nominated” for inclusion on the secret watchlist. 

The list is cited by airlines and multiple agencies, like the Department of State, Department of Defense, Transportation Security Administration (TSA), and Customs and Border Protection (CBP), to check the list in order to determine whether a passenger is allowed to fly, impermissible to the United States, or to examine their risk for various activities. 

The unsecured database was discovered on July 19th on a server with a Bahrain IP address and disclosed the data leak to the US Department of Homeland Security on the same day (DHS). 

“I discovered the exposed data on the same day and reported it to the DHS. The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it,” writes Diachenko in his report. 

According to Diachenko, releasing such sensitive information might affect people whose data might be included on the list. 

“The terrorist watchlist is made up of people who are suspected of terrorism, but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” he alerted.