America's secret terrorist watchlist exposed on the web without a password: report

On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.

The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country's no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.

I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.

Timeline of the exposure

On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.

The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it.

What data was exposed?

The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.

Each record in the watchlist contained some or all of the following info:

• Full name
• TSC watchlist ID
• Citizenship
• Gender
• Date of birth
• Passport number
• Country of issuance
• No-fly indicator

The data also included a couple of categorical fields that I was unable to identify, including "tag," "nomination type," and "selectee indicator".

Notably, the database was found on a Bahrain IP address, not a US one.

Dangers of exposed data

The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harrass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.

There have been several reports of US authorities recruiting informants in exchange for keeping their names off of the no-fly list. Some past or present informants’ identities could have been leaked.

About the TSC watchlist

The Terrorist Screening Center was set up by the US Federal Bureau of Investigation (FBI) in 2003. It shares information on suspected terrorists with the following US federal agencies:

• Department of State
• Department of Defense
• Transportation Security Authority (TSA)
• Customs and Border Protection (CBP)

… as well as some international partners.

The TSC maintains a watchlist of suspected terrorists. The notorious no-fly list is a subset of the TSC watchlist. The watchlist is supposed to be classified, with access only granted to "agencies and officials who are authorized to conduct terrorist screening in the course of their duties..."

Prior to 2015, the watchlist was completely secret. Then the US changed its policy and began privately informing people in the US who were added to the list, but people outside the country still often can't find out whether they're on the list until they try to board a plane.

Some members of the US Congress have proposed banning sales of firearms to people on the no-fly list.

The TSC watchlist is highly controversial. The ACLU, for example, has for many years fought against the use of a secret government no-fly list without due process.

Why we reported this data incident

Our team works to scan the web for accessible databases that contain personal information. When we come across exposed data, we investigate the nature of the information as well as who is responsible for it. We also determine who might be affected as a result of the exposure and the potential impact.

Once we discover who the information belongs to, we immediately notify them of the leak so that the data can be secured. Finally, we report the data exposure in an article like this one to help inform readers about this particular exposure and raise awareness regarding data leaks in general. Our ultimate goal is to minimize the potential damage caused as a result of the exposure.

Contact me: bob[at]diachenko.net for any media inquiries or bob[at]securitydiscovery.com if you are a company seeking for a professional advice/consultancy or cyber security services to improve your security posture.