A cybersecurity researcher has discovered nearly two million terrorist watchlist records, including “no-fly” list indicators, which were left exposed online last month.
The US Department of Homeland Security (DHS) did not remove them until three weeks later.
Cybersecurity researcher Bob Diachenko came across a plethora of records that were exposed online.
“On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it,” Diachenko said in a LinkedIn post on Monday.
The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI.
“The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he wrote.
The cybersecurity researcher reported the matter to the Department of Homeland Security, which acknowledged the incident.
“The DHS did not provide any further official comment, though,” he said.
The files were indexed by multiple search engines in an easily readable format. The exposed server was taken down about three weeks later, on August 9.
The list was left accessible on an Elasticsearch cluster that had no password on it.
The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime.
“If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” Diachenko said.
There have been several reports of US authorities recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants’ identities could have been leaked.
The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.
The TSC maintains a watchlist of suspected terrorists. The notorious no-fly list is a subset of the TSC watchlist. The watchlist is supposed to be classified, with access only granted to “agencies and officials who are authorised to conduct terrorist screening in the course of their duties”.
Prior to 2015, the watchlist was completely secret. Then the US changed its policy and began privately informing people in the US who were added to the list, but people outside the country still often can’t find out whether they’re on the no-fly list until they try to board a plane.
“Some members of the US Congress have proposed banning sales of firearms to people on the no-fly list,” said the researcher.