An FBI watch list of suspected terror suspects was unsecured online for a while, according to an investigator. The list contains details of 1.9 million people, including names, date of birth, passport details and no-fly status.
The list was discovered in July by security researcher Volodymyr Diachenko on an unsecured Elasticsearch cluster, without a password. Diachenko discovered a large amount of JSON data there, he says in a LinkedIn post. In the dataset, he found the name, country of residence, gender, date of birth, passport details and no-fly status of 1.9 million people. The server containing the files was already indexed by the search engines Censys and ZoomEye at that time.
According to Diachenko, the list may have come from the FBI’s Terrorist Screening Center, as the list also includes people’s “tsc ID” and no-fly status. The TSC is responsible for maintaining the US terror list, which is used by various US government agencies. The watchlist created by the TSC is used, among other things, by the Transportation Security Administration to intercept possible terrorists when they try to enter the United States or when they apply for visas.
The moment Diachenko discovered the list and what he had in his hands, he immediately contacted the Department of Homeland Security. It then took three weeks before the server containing the sensitive data was taken offline. Diachenko cannot rule out that the list has been approached by others in the meantime and does not know how long the list has been online, but that is in any case longer than three weeks.
The FBI has not yet confirmed that it is indeed a TSC terror suspect list, and it is also unknown whether the server that contained the list is owned by a U.S. government agency. It was associated with an IP address in Bahrain, not the US.
An example from the list. Image: Bob Diachenko