1.9 million records from the FBI's terrorist watchlist leaked online
A copy of the FBI's terrorist watchlist was exposed online for three weeks between July 19 and August 9, 2021, a security researcher revealed today.
Known as the FBI Terrorist Screening Center (TSC), the database was created in 2003 as a response to the 9/11 terrorist attacks. Managed by the FBI, the database contains the names and personal details of individuals who are "known or reasonably suspected of being involved in terrorist activities."
While the database is managed by the FBI, the agency also provides access to it to several other US government agencies, including the Department of State, Department of Defense, the Transportation Security Authority, the Customs and Border Protection, and even some international law enforcement partners.
While the database contains data on suspected terrorists, it is also better known in popular culture as the US No Fly List, being primarily used by US authorities and international airlines to allow entry into the US or travel within its territory.
Exposed server was taken down after three weeks
In a LinkedIn post today, Bob Diachenko, Cyber Threat Intelligence Director at security firm Security Discovery, said he discovered a copy of the TSC database on a Bahrainian IP address.
"The exposed Elasticsearch cluster contained 1.9 million records," Diachenko said. "I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed."
Information exposed in the leak included data points such as:
- Full name
- TSC watchlist ID
- Date of birth
- Passport number
- Country of issuance
- No-fly indicator
Apparently, this is the TSC (Terrorist Screening Centre) dataset publicly exposed (tsc_id is the only clue), with 1.9M+ records. In any case, any thoughts as of where to responsibly report? pic.twitter.com/e31pSrHnoM— Bob Diachenko (@MayhemDayOne) July 19, 2021
Diachenko said he notified the Department of Homeland Security on July 19, the day the database was indexed by search engines Censys and ZoomEye, and when he also found it.
The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it.Bob Diachenko, Cyber Threat Intelligence Director at security firm Security Discovery
Contacted by The Record earlier today, the FBI had no comment.
It is unclear if the exposed Elasticsearch server was managed by a US agency, one of its partners, or if this was an illegally obtained copy.
While the existence of the TSC database was kept secret for more than a decade, in recent years, the DHS began notifying US citizens when they were added to the TSC's No Fly List.
Without knowing who is to blame for this leak, it is unclear if the FBI or DHS will have to notify US citizens that were added on the TSC No Fly List that their data was exposed online.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.