Nearly 2 million terrorist watchlist records, including “no-fly” list indicators, were purportedly exposed online. The list was indexed across multiple search engines on July 19th, but the Department of Homeland Security did not remove it until three weeks later, as first reported by Bleeping Computer Monday.
Security Discovery researcher Volodymyr “Bob” Diachenko discovered the watchlist, which appears to be the product of the Terrorist Screening Center, last month. The files were indexed by multiple search engines in an easily readable format. Records included information like full names, citizenship status, date of birth, passport numbers, and no-fly indicators. No password or separate authentication was necessary to access it, Diachenko wrote in a LinkedIn post Monday.
“I immediately reported it to Department of Homeland Security officials”
“I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work,” Diachenko wrote. “The DHS did not provide any further official comment, though.”
The server was indexed by search engines like Censys and ZoomEye on July 19th. Diachenko discovered the data that day and reported it to the Department of Homeland Security. It wasn’t until August 9th that the server was taken down. It’s unclear if any unauthorized users accessed the data.
The Terrorist Screening Center is a multi-agency center led by the FBI and responsible for managing the US’s terrorist watchlist. It produces a watchlist used by screening agencies like the DHS and Transportation Security Authority (TSA) to identify known or suspected terrorists attempting to enter the country by boarding aircrafts or obtaining visas. Databases like these contain extremely sensitive information related to US national security concerns.
It’s not unusual for innocent people to be put on the FBI’s no-fly list. In 2008, NBC reported that one US airline recorded 9,000 false positives in a single day. In 2010, the American Civil Liberties Union filed a legal challenge on behalf of 10 US citizens or permanent residents who were falsely added to the no-fly list. In 2014, a court ruled that the government must notify citizens and permanent residents when they are placed on the list.