A database that classifies people, major charities, activists, and mainstream religious institutions as potential terrorists or money launderers was found available to anybody who knew where to look online, with no credentials needed to access it.
The mid-2014 copy of Thomson Reuters’ World-Check confidential intelligence database was likely posted by one of the company’s customers.
MacKeeper security researcher Chris Vickery, who on Tuesday posted about his find on Reddit, said it hadn’t come directly from Thomson Reuters:
No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.
On Wednesday, David Crundwell, a spokesperson for Thomson Reuters, sent out this statement:
“Thomson Reuters was yesterday alerted to the fact that out of date information from the World-Check database had been exposed by a third party. We are grateful to Chris Vickery for bringing this to our attention, and have acted with the utmost urgency to contact the third party concerned—with whom we are now in contact in order to secure the information.”
It sounds similar to another recent Vickery discovery. In late June, he found a database, containing 154 million US voter registration records, leaking information on a dizzying array of intimate details, including gun ownership. Vickery believed it was likely leaked by a purchaser hosting it in an insecure manner.
The database in this week’s leak, World-Check, is a global database of “heightened-risk individuals.”
According to Vice, it’s used by over 300 government and intelligence agencies, pre-employment vetting agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms.
In an investigation published in February, Vice found that the database has grown “dramatically” since its founding in 1999. The number of entries in its “terrorism” category has grown five-fold since 2007, to over 93,000. As of February, the list contained 2.7 million individuals and entities.
As Vice noted, banks and law enforcement agencies find this “risk data” vital. Particularly after the US fined HSBC $1.9 billion after a Senate investigation found that the bank had served as a channel for “drug kingpins and rogue nations”.
The terrorism category is only a small part of the database of “heightened-risk” individuals and organizations, Vickery noted. It also categorizes individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other illegal activities.
Motherboard reviewed a copy of the exposed World-Check database and found that it contains over 2,240,000 entries, including the categories “political individual,” “corporate,” “military,” and “crime—narcotics.”
World-Check says that the list is sourced from the public domain, including sanction, watch, regulatory and law enforcement lists, as well as local and international government records.
Bryan
ouch.
At first blush this could be considered while-less-than-ideal-not-all-that-bad; the terrorist who escaped on a technicality was later neutralized in a “random” event in a restaurant or at home.
But while “suspected terrorist” is just that, the phrase holds too much power over our natural tendency to presume guilt–if he’s such a good guy, why did they arrest him?
I myself love to read and learn. I’ve perused information about relativity, the Manhattan Project, 9/11, the Holocaust, Nazi atomic research, lockpicking, Bin Laden, conspiracy theories, and more. I’ve no doubt triggered multiple cues if not joined several watchlists.
I don’t post hate speech or promote civil unrest (and therefore haven’t likely read enough to be labeled “heightened risk”), but if curiosity put me on this leaked list, should I start looking over my shoulder while reading more about karate?
Adam
Karate? No, more like “how to drop off the grid & become self-sustaining in a remote cave somewhere”, I would think. Of course, that might put you on another watch-list, so…. *shrugs*
Bryan
I meant more that if I were on this list I’d hate for it to be subsequently leaked to a public which included some reverse-jihadist with more ammo and free time than critical-thinking skills and restraint. But thanks for the laugh; that was awesome!
Techno
We used to use that database in my former job in the financial industry. It was a real pain because it only matched on somebody’s name. So if your name is Donald Trump, you will find all your applications for financial products delayed while they check if you are the REAL Donald Trump.
OK, so there probably aren’t many people in the world called Donald Trump, but when you realise that the British Labour Party once had a leader called John Smith you can see the problem.