Database Security Snafu Exposes America’s Secret Terrorist Watchlist
- A classified terrorist watchlist has been exposed online due to a database misconfiguration.
- The period of exposure reached almost three weeks, essentially guaranteeing the exfiltration of the data.
- The particular watchlist was set up by the FBI and is accessible only by a small number of agencies and authorized officials.
Approximately 1.9 million records that constitute the Terrorist Screening Center’s secret watchlist have been left online and accessible by anyone with a web browser and a valid URL, due to a configuration error. The discovery of this exposure comes from the “unprotected database hunter” Bob Diachenko, who found the watchlist on July 19, 2021, and immediately reported the incident to the US Department of Homeland Security.
Unfortunately, it took the officials another three weeks before they eventually secured the exposed server on August 9, 2021, allowing plenty of time for unauthorized access.
Each of the 1.9 million records contained the following information:
- Full name
- TSC watchlist ID
- Citizenship
- Gender
- Date of birth
- Passport number
- Country of issuance
- No-fly indicator
The problem with the particular exposure is that a large number of people suspected of terrorism or participation in shady circles may now learn about the fact that the authorities have spotted them and take measures to hide their activities and protect their dangerous secrets better in the future. This list was supposed to be classified and only available to the FBI, the Department of State, the Department of Defense, the TSA, the CBP, and some international partners. Even in these agencies, only authorized officials should be able to access the watchlist to conduct screening, etc.
So, is there any chance the data wasn’t noticed by malicious actors or others who are willing to propagate this info to key people? Diachenko states that he has not seen any signs of access, but it’s highly unlikely that the exposure went unnoticed for so long. Upon its discovery in July, it had already been indexed by Censys and ZoomEye, and this remained the case for three more weeks. That’s way more than the few hours typically required for actors to find an exposure incident and exfiltrate the contained data.
Finally, it is also worth noting that the very existence of the particular watchlist is highly controversial, as entering it is an arbitrary matter with severe repercussions on the individuals and not the outcome of a fair and transparent process of evidence evaluation. As such, its exposure could even result in the scrapping of the project.