A list of 1.9 million terror suspects was open and exposed on the internet for three weeks. In addition, the file was unsecured, allowing anyone to access the list. The server where the data was placed was taken offline on August 9.
The list of terror suspects was discovered by Volodymyr “Bob” Diachenko, a security researcher at cybersecurity firm Security Discovery. In July, he encountered a large number of JSON files on an Elasticsearch cluster. To his great surprise, these were not protected by a password.
The dataset contained privacy-sensitive data of 1.9 million people. Then you have to think of first and last name, citizenship, gender, date of birth, passport details and no-fly status. The files were indexed by the search engines Censys and ZoomEye. That most likely indicates that Diachenko was not the only one to have seen this sensitive data.
What struck him the most, and which set off all the alarm bells for him, was a field called ‘TSC_ID’. TSC is an abbreviation that stands for Terrorist Screening Center. This is a database maintained by the FBI that lists people suspected of terrorism. Several government services – Ministry of Defense, airlines, customs – consult this service to check suspicious people and for other anti-terror purposes. Sometimes the TSC database is also referred to as the ‘no-fly list’.
Such databases contain highly sensitive data. That is why it is important to handle it with the utmost care. A strict authorization policy must be followed and the data must be well secured. Both basic principles have not been observed.
Diachenko discovered the terror list on July 19 on a server with a Bahraini IP address. The moment he realized what the information was, he contacted the Department of Homeland Security. “They acknowledged the incident and thanked me for my work,” said the security expert.
It then said it took three weeks for the Department of Homeland Security to take the server off the air. “It is unclear why it took so long. I have no idea whether other unauthorized parties had access to the database,” the security specialist writes on his LinkedIn profile.
The list that Diachenko found is highly controversial in the US. Human rights organizations have argued for years that it is unheard of for suspects to end up on the list without a fair trial. Suspects who have not been charged or convicted of anything may end up on this list. “In the wrong hands, this list could be used to oppress, harass or persecute people and their families. It could also cause personal and professional problems for innocent people whose names appear on the list,” Diachenko wrote on the matter.
Catch up on more articles here
Follow us on Twitter here