A security researcher said Monday that nearly 2 million records of personally identifiable information — including passport details, dates of birth, and names — were exposed in what may be the leak of a secret terrorist watchlist. The records included “no-fly” status information for each person’s record, according to a report by Bleeping Computer.
In a blog post on LinkedIn, Security Discovery researcher Bob Diachenko said he discovered the trove of records online July 19 in an unprotected Elasticsearch cluster, which required no password or identity authentication to access. Diachenko said the exposed server had a Bahrain IP address, and it’s unclear whether the server is owned by the US government or another party.
Diachenko said he reported his finding to the US Department of Homeland Security the same day, but the records weren’t removed from public view until Aug. 3. It’s unclear whether any other unauthorized parties had access to the exposed records during that time.
Given the attributes of the data, Diachenko believes the list originated from an FBI-DHS terrorist watchlist, which is used by several federal agencies.
“The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more,” he wrote.
The FBI and DHS declined to comment.
The discovery of the unprotected records comes just a month after the DHS — joined by the Department of Justice and other federal agencies —aiming to combat the threat of ransomware, and only weeks after a US Senate committee report for failing to shore up their basic cybersecurity defenses.
Earlier in the year,and DHS were targets of the , when both departments’ were targeted. Prior to the hack, the DHS has had brushes with significant personal records exposures. In 2018, a former employee then under criminal investigation, caused a data breach that on more than 240,000 current and former DHS employees.