Global counter-terrorism database World-Check leaks online

At least one non-authorized person obtained sensitive information following the leak of global counter-terrorism database World-Check, owned by Thomson Reuters.

Chris Vickery, a security researcher at the software company MacKeeper, posted on Reddit that a copy of the World-Check database from mid-2014 had come into his possession.

Quote

Terrorism Blacklist: I have a copy. Should it be shared? (self.privacy)

submitted   by FoundTheStuff

About me: Hello, my name is Chris Vickery. In the recent past I have discovered dozens of databases consisting of voter registries, medical histories, insurance records, Hello Kitty fan accounts, and much more. A quick googling can provide additional info.

When private data is involved, I always do my best to get the database secured before disclosing news of the exposure. However, this brand new find is a different kind of animal. It appears to all be sourced from publicly available material (although I'm certain someone will correct me if I'm mistaken about that).

What I just recently found: A few years ago, Thomson Reuters purchased a company for $530 million. Part of this deal included a global database of "heightened-risk individuals" called World-Check that Thomson Reuters maintains to this day. According to Vice.com, World-Check is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current-day version of the database contains, among other categories, a blacklist of 93,000 individuals suspected of having ties to terrorism.

I have obtained a copy of the World-Check database from mid-2014.

No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.

This copy has over 2.2 million heightened-risk individuals and organizations in it. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.

I am posting this message in order to ask, "Should I release this database to the world?". I want your opinion.

At the very least, this should jump-start a little online conversation regarding the appropriateness of having private entities maintain lists utilized by government agencies and banks.

Here are some arguments for, and against, releasing the database:

-For:

  1. Innocent people that have been put on this list deserve to know that they are on it.

  2. The data is apparently all aggregated from public sources.

  3. The database is already accessible to anyone that is willing to pay Thomson Reuters for it.

-Against:

  1. Releasing it may tip off some actual bad guys that really should be on such a list.

  2. Thomson Reuters' legal team will likely have some words for me. After all, they do invest considerable time and effort in categorizing and analyzing the data even if it is from public sources. There's probably a copyright argument to be made.

  3. I have nothing against Thomson Reuters and I'm generally a pretty friendly guy.

  4. Some harm will likely be done to individuals that shouldn't be on the list, but are on the list by mistake. Suddenly the mistaken listing would be much more widespread than even Thomson Reuters' subscribers.

Also, consider the Vice article: https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions

And the Thomson Reuters page for the database: https://risk.thomsonreuters.com/products/world-check

*A special note to Thomson Reuters: I do plan to contact you shortly regarding the circumstances that resulted in me obtaining a copy of this database. Hopefully we can work together to get the original leak plugged and my ear will be wide open if you do wish for my copy of the database to remain private and you have any persuasive reasoning.

~~~~~~~~~~

Small update: I have now left a voicemail with Thomson Reuters and submitted notification via their World-Check support portal. Hopefully they will contact me soon.

~~~~~~~~~~

Update #2: Thomson Reuters saw this post, looked up my notification through the World-Check support portal, and gave me a call. They were very nice. I have passed along details of where the leak is and, to the best of my knowledge, they are are working to get it secured.

*One important point that they would like to highlight (and something I'll agree with): Thomson Reuters is not the only company gathering this kind of data and putting together this type of database. They may be a leader in the industry, but it's not fair to vilify them as if they were the only company in the market.

*Additionally- Thomson Reuters does not believe that this is any kind of "blacklist" and they disagree with Vice's characterizations. I'm not saying they are right or wrong on that, but it's only fair to convey what they expressed to me.

*They also claim that not just anyone can become a subscriber to World-Check and that there is a vetting process for appropriate subscribers. I have no way to verify whether a large enough check could or could not buy a subscription, so again this is just what they said to me.

~~~~~~~~~~

Update #3: For those interested in my safety, an encrypted "insurance" file is available here:https://www.reddit.com/r/torrentlinks/comments/4qf8rn/vickery_insurance_file_torrent/ . No, this is not a release of the data, but it is something that should add a degree of protection for me.

“No hacking was involved in my acquisition of this data,” Vickery pointed out. “I would call it more of a leak than anything, although not directly from Thomson Reuters.”]

Unquote

Vickery described the database as a 2.2 million-record copy of “heightened-risk individuals and organizations.”

World-Check provides banks, corporates, law enforcement, governments and intelligence agencies with security screenings about people and entities.

We monitor over 530 sanction, watch and regulatory law and enforcement lists, and hundreds of thousands of information sources, often identifying heightened-risk entities months or years before they are listed,” Thomson Reuters explains on its website.

According to Reuters, World-Check is updated by more than 350 research analysts based in 11 research centers across five continents.

Thomson Reuters spokesperson David Crundwell confirmed the leak to TechCrunch, adding that it was due to — as Vickery said — a “third party.”

 

“Thomson Reuters was yesterday alerted to out-of-date information from the World-Check database that had been exposed by a third party,” the company said in a statement. “We are grateful to Chris Vickery for bringing this to our attention, and immediately took steps to contact the third party responsible. As a result, we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident.”

Reuters declined to answer further questions regarding what the leaked information was about and how the third-party let the leak happen.

In an email to TechCrunch, Vickery revealed that the leak was due to a CouchDB instance that was “perhaps mistakenly” configured for public access. Apache CouchDB is an open source non-relational database software.

The company that is likely responsible for the exposed CouchDB, according to Vickery, is SmartKYC, a London-based financial services firm.

“Thomson Reuters did confirm to me early this morning that they have been working with SmartKYC to secure the data and it is believed to now be offline,” Vickery emailed TechCrunch.

Vickery also declared he still has a copy of the database.

In August 2015, BBC’s Radio 4 also was granted unauthorized access to World-Check thanks to “a client who has deep reservations about its methods,” journalist Peter Oborne reported.

FEATURED IMAGE: SEIKA/FLICKR UNDER A CC BY 2.0 LICENSE