Identity, Data Security, Breach

5.3M World-Check records may be leaked; how to check your records

World-Check, a “know your customer” (KYC) database with millions of records on “high risk” individuals and organizations, may soon have its database leaked by hackers who claim to have stolen 5.3 million World-Check records from a third party.

TechCrunch reported Thursday that a group called GhostR told the publication they hacked a Singapore-based company with access to the database in March and are threatening to publish the data online. The third party that was allegedly breached was not named, nor was its relationship to World-Check fully explained.

A data sample provided by GhostR to TechCrunch reportedly included names, Social Security numbers, bank account numbers, cryptocurrency account identifiers and passport numbers. The sample contained information on thousands of individuals labeled as “politically exposed people” at a high risk of committing financial crimes.

It is unclear whether GhostR is attempting to extort the London Stock Exchange Group (LSEG), which maintains World-Check, or plans to sell the data, although TechCrunch described the group as “financially motivated.” An LSEG spokesperson told the publication that the company’s own systems were not breached and that it is working with the third party and authorities to ensure the data is protected.

How to check if your records are in the World-Check database

The World-Check screening database is offered as a subscription service for companies to perform KYC checks and determine whether prospective customers may be linked to financial crimes, such as money laundering, or are under government sanctions.

World-Check came under LSEG’s ownership in 2021 when LSEG purchased financial data company Refinitiv for $27 billion.

World-Check has been criticized in the past for falsely labelling individuals and organizations as high risk; for example, in 2017, Maajid Nawaz, founder of the now-defunct British think tank Quillium, successfully sued the database’s then-owner Thomson Reuters for wrongfully including his name under the “terrorism” category.

Those who are concerned their information may be contained in the database can submit an inquiry to LSEG. The LSEG website states that subjects have a right to request a copy of any personal information it holds about them, ask for updates to personal information held and object to the processing of their personal information, and that there is no cost for requests.

The website also states that LSEG may not always be able to meet requests and will provide an explanation if a request cannot be completed.

The reported GhostR hack is not the first time records from the World-Check database have been leaked. In 2016, more than 2 million records from the database were leaked by an unidentified third party and discovered by security researcher Chris Vickery. Thomson Reuters confirmed the leak, noting that the exposed records were “out of date” and reporting that the records were taken down by the third party after their discovery.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.