Security researcher Bob Diachenko discovered that a secret FBI terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed after it was left unsecured at an Elasticsearch cluster that had no password on it.
The terror list was indexed across multiple search engines since July 19th but was only removed after almost a month.
Diachenko said the list was from the Terrorist Screen Center (TSC) and contained full names, TSC watchlist ID, citizenship, gender, date of birth, passport number, no-fly indicator, and country of issuance.
The list was reportedly stored on a server with an IP address in Bahrain and was entered around May.
The server was indexed by search engines like Censys and ZoomEye and there was no information on how many other people were able to access it.
“I immediately reported it to Department of Homeland Security (DHS) officials, who acknowledged the incident and thanked me for my work,” said Diachenko.
DHS has not commented on the list but has already removed it last August 9th.
© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.