A security researcher, Bob Dichenko, discovered a secret terrorist watchlist with 1.9 million records, including classified “no-fly” records exposed on the Internet. The list was left accessible on an Elasticsearch cluster that had no password required to access it. Diachenko believes the list originated from the FBI’s Terrorist Screening Center (TSC), which is used by multiple federal agencies and maintains a watchlist commonly referred to as the “no-fly” list. The researcher identified the list on July 19th and immediately informed the proper authorities. The exposed server was taken down three weeks later.
The FBI did not comment on the matter, and it has not been confirmed if the server leaking the list belonged to a U.S. government agency or a third-party entity. Individuals added to the list are generally confirmed members of a terrorist organization or those suspected of belonging to or supporting such organizations. The list is considered highly sensitive and if exposed could cause irreparable damage to national security investigations. Binary Defense analysts regularly monitor criminal forums for sensitive information leaks. So far, this data has not been shared or offered for sale. Unless the organization responsible for hosting the exposed data had access logging set up properly, it may be difficult to determine how many different people, in addition to Dichenko, accessed the files during the three weeks they were available. Organizations that use cloud file hosting services should regularly audit the access control settings for their sensitive files, provide a clear point of contact for researchers to report security misconfigurations, and take prompt corrective action after a report is received.