2 million government records exposed online in 'no-fly' watchlist, researcher says
A security researcher says the massive trove of records included names, birthdates and passport details.
A security researcher said Monday that nearly 2 million records of personally identifiable information -- including passport details, dates of birth, and names -- were exposed in what may be the leak of a secret terrorist watchlist. The records included "no-fly" status information for each person's record, according to a report by Bleeping Computer.
In a blog post on LinkedIn, Security Discovery researcher Bob Diachenko said he discovered the trove of records online July 19 in an unprotected Elasticsearch cluster, which required no password or identity authentication to access. Diachenko said the exposed server had a Bahrain IP address, and it's unclear whether the server is owned by the US government or another party.
Read more: US taps tech giants to help fight ransomware, cyberattacks
Diachenko said he reported his finding to the US Department of Homeland Security the same day, but the records weren't removed from public view until Aug. 3. It's unclear whether any other unauthorized parties had access to the exposed records during that time.
Given the attributes of the data, Diachenko believes the list originated from an FBI-DHS terrorist watchlist, which is used by several federal agencies.
"The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country's no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more," he wrote.
Read more: Biden signs executive order aimed at shoring up US cybersecurity
The FBI and DHS declined to comment.
The discovery of the unprotected records comes just a month after the DHS -- joined by the Department of Justice and other federal agencies -- launched a new website aiming to combat the threat of ransomware, and only weeks after a US Senate committee report slammed several other federal agencies for failing to shore up their basic cybersecurity defenses.
Read more: Russia blamed for SolarWinds hack in joint FBI, NSA and CISA statement
Earlier in the year, the DOJ and DHS were targets of the infamous SolarWinds hack, when both departments' secretaries' email accounts were targeted. Prior to the hack, the DHS has had brushes with significant personal records exposures. In 2018, a former employee then under criminal investigation, caused a data breach that exposed personally identifiable information on more than 240,000 current and former DHS employees.
Read more: Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign