2 million government records exposed online in 'no-fly' watchlist, researcher says

A security researcher says the massive trove of records included names, birthdates and passport details.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
2 min read

An international airline passenger is fingerprinted by US Customs and Border Protection at Dulles International Airport in 2007.

Win McNamee / Getty Images

A security researcher said Monday that nearly 2 million records of personally identifiable information -- including passport details, dates of birth, and names -- were exposed in what may be the leak of a secret terrorist watchlist. The records included "no-fly" status information for each person's record, according to a report by Bleeping Computer.

In a blog post on LinkedIn, Security Discovery researcher Bob Diachenko said he discovered the trove of records online July 19 in an unprotected Elasticsearch cluster, which required no password or identity authentication to access. Diachenko said the exposed server had a Bahrain IP address, and it's unclear whether the server is owned by the US government or another party.

Read more: US taps tech giants to help fight ransomware, cyberattacks

Diachenko said he reported his finding to the US Department of Homeland Security the same day, but the records weren't removed from public view until Aug. 3. It's unclear whether any other unauthorized parties had access to the exposed records during that time.

Given the attributes of the data, Diachenko believes the list originated from an FBI-DHS terrorist watchlist, which is used by several federal agencies. 

"The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country's no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more," he wrote. 

Read more: Biden signs executive order aimed at shoring up US cybersecurity

The FBI and DHS declined to comment.

The discovery of the unprotected records comes just a month after the DHS -- joined by the Department of Justice and other federal agencies -- launched a new website aiming to combat the threat of ransomware, and only weeks after a US Senate committee report slammed several other federal agencies for failing to shore up their basic cybersecurity defenses. 

Read moreRussia blamed for SolarWinds hack in joint FBI, NSA and CISA statement

Earlier in the year, the DOJ and DHS were targets of the infamous SolarWinds hack, when both departments' secretaries' email accounts were targeted. Prior to the hack, the DHS has had brushes with significant personal records exposures. In 2018, a former employee then under criminal investigation, caused a data breach that exposed personally identifiable information on more than 240,000 current and former DHS employees.

Read more: Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign