A list of data from 1.9 million people has been online for weeks without a password. Everything points to a list of possible terrorists.
The dataset includes name, date of birth, gender, passport details, whether the person is on a no-fly list and other less obvious indicators. Security researcher Bob Diachenko of Comparitech discovered the list on an Elasticsearch cluster that was kept without a password.
Precisely what the list has not been formally confirmed, but things like the no-fly status and descriptions such as ‘TSC watchlist ID’ (TSC stands for Terrorist Screening Center) strongly suggest that it is a list that contains American institutions or airlines to identify possible terrorists.
Diachenko discovered the list on July 19 and notified the US Department of Homeland Security. The list has been taken offline since August 9. But she’s also been indexed by search engines, so Diachenko probably isn’t the only one with the data.
Diachenko says on LinkedIn that he was thanked by DHS for pointing out the data breach but was given no further explanation about the list or how she got online. Although the TSC reference suggests that it is a dataset compiled by American institutions, the data was stored on a server in Bahrain.