Cyber security researcher Bob Diachenko has discovered nearly two million terrorist watchlist records, including "no-fly" list indicators, which were left exposed online last month, which are now taken down by the US Department of Homeland Security (DHS) on Aug 9.
The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI, which maintains the country's no-fly list, a subset of the larger watchlist. A typical record in the list contains full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more, he informed.
The researcher, who came across a plethora of records, posted a message on Monday and said, "On July 19, I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it."
The cybersecurity researcher reported the matter to the Department of Homeland Security, which acknowledged the incident. "The DHS did not provide any further official comment, though," he said.
The files were indexed by multiple search engines in an easily readable format. The exposed server was taken down about three weeks later, on August 9. The list was left accessible on an Elasticsearch cluster that had no password on it.
The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime.
"If it falls in wrong hands, this list could be used to oppress, harass or persecute people mentioned on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list," Diachenko said.
There have been several reports of US authorities recruiting informants in exchange for keeping their names off the no-fly list. Some past or present informants' identities could have been leaked. The Terrorist Screening Center (TSC) was set up by the US Federal Bureau of Investigation (FBI) in 2003.
The TSC maintains a watchlist of suspected terrorists. The notorious no-fly list is a subset of the TSC watchlist. The watchlist is supposed to be classified, with access only granted to "agencies and officials who are authorised to conduct terrorist screening in the course of their duties".
Prior to 2015, the watchlist was completely secret. Then the US changed its policy and began privately informing people in the US who were added to the list, but people outside the country still often can't find out whether they're on the no-fly list until they try to board a plane.
"Some members of the US Congress have proposed banning sales of firearms to people on the no-fly list," said the researcher.