Yet more sensitive data has been left lying around in the cloud.
The Dow Jones Watchlist, which details purportedly dicey executives, their dicey buddies and their dicey businesses to aid organizations in their due diligence, was discovered in an Amazon Web Services (AWS)-hosted Elasticsearch database that somebody forgot to slap a password onto.
Independent security researcher Bob Diachenko last week reported finding a copy of the watchlist on a public server, open for any and all takers.
All it needed to find the unsecured database was for somebody to run an Internet of Things (IoT) search with one of the publicly available IoT search engines.
The researcher reported his find to the Dow Jones security incident response team last Friday (22 February 2019). Fortunately, the team was on it the same day, taking the database down and issuing this statement:
This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.
The exposed database contained 2.4 million records. A Dow Jones spokesperson told Tech Crunch that an “authorized third party” was to blame for the exposure: in other words, it sounds like a customer or contractor put the records online without securing them.
Risky business
It might well have been information derived from publicly available sources, but that doesn’t mean it wasn’t sensitive data, conveniently pulled into one repository that includes people’s alleged criminal histories and possible terrorist links. The Watchlist’s names and connections are regularly updated by a Dow Jones research team.
This is a useful repository for businesses. If you’re a big bank, you’re a big target, and, for both legal and branding-linked reasons, you don’t want to do business with big old criminals – say, money launderers or terrorists.
That’s the sales pitch for the Dow Jones Watchlist: a watchlist of risky people, their relatives, people they’re close to, and businesses they’re associated with. It’s used by government agencies, and banks use it to determine whether to provide financing. From a Dow Jones’s sales brochure:
Doing business with the wrong person just once can result in steep financial penalties for your organization and legal proceedings against key executives. The ensuing scandal can cause irreparable damage to your corporate reputation.
Diachenko says that the records are indexed, tagged and searchable. They’re also more valuable than what you might stumble across on your own, he says, given that they’re vetted, having come from “premium and reputable sources.”
In the age of fake news and social engineering online it is easy to see how valuable this type of information would be to companies, governments, or individuals.
Dow Jones isn’t the only financial information giant to curate this type of risk list. Thomson Reuters, for example, has its World-Check: a list that, as of 2015, was used by 49 out of the world’s largest 50 banks to help them judge who to take on as clients, or whose accounts to shut down (with no requirement to disclose why). As the BBC points out, banks can be held responsible if their clients are involved in financing terror or money-laundering.
These lists aren’t without their critics. They’ve been criticized as being based on ”flimsy evidence” and “fringe sources.” From a 2017 analysis of a 2014 copy of World-Check done by The Intercept:
[The analysis indicated] that many thousands of people, including children, were listed on the basis of tenuous links to crime or to politically prominent persons.
The database relied on allegations stemming from right-wing Islamophobic websites to categorize under “terrorism” people and groups like the Council on American-Islamic Relations, several mosques, and national and regional Islamic organizations.
TechCrunch reports that the exposed records in Dow Jones’s Watchlist vary “wildly,” with some including “names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs.” Diachenko also found dates of birth and genders. The profiles also had extensive notes collected from Dow Jones’s Factiva news archive and other sources.
Dow Jones has declined to identify the third party responsible for the leak.
Tom Cooper
It was not a customer who forgot to enter a password on an AWS Eladticsearch server. Customers do ‘t secure servers technologists do. The “authorized third party” would be a cloud consulting firm.
I can’t believe that your writer is that clueless about how technology works.
Paul Ducklin
Well, probably. Possibly. Perhaps. Though whether it was a customer, a contractor (or someone who was both – who can say except Dow Jones?) who had access, it seems that no one secured this server, so whoever it was, that person wasn’t much of a server technologist.
I’ve changed the wording to say “customer or contractor”.
anonymous
Last paragraph still says only customer.
Paul Ducklin
Fixed, thanks.