A cybersecurity researcher found the Down Jones Watchlist residing in an open Elasticsearch database containing 2.4 million records of politicians, criminals and national and international sanction lists.
Independent researcher Bob Diachenko reported on his Security Discovery blog that he came across the 4.4GB dataset on February 22. The files were not secured and could be found using any public IoT search engine, he said. The information Diachenko found contained:
· Global coverage of senior politically exposed persons (PEP), their relatives, close associates, and the companies they are linked to.
· National and international government sanction lists and categories
· Persons officially linked to, or convicted of, high-profile crime
· Profile notes from Dow Jones including citing Federal agencies and law enforcement sources.
“In other words, it contained the identities of government officials, politicians and people of political influence in every country of the world. The data is designed to help identify risks when researching an individual and efficient due diligence. Obviously, banks use Watchlist data to identify money laundering and illicit payments through key information about a public figure’s identity,” Diachenko wrote.
The database was taken down after Diachenko contacted the company and he noted was replaced with the following statement.
“This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.”
Even if all the information was derived from publicly available sources, the fact it is indexed, cataloged and then exposed was an egregious error and could possibly lead to further crimes taking place, said two cybersecurity executives.
“This data breach is particularly egregious for both the lack of very basic protection -- a password -- and the extremely high degree of sensitivity of the data. There may be people on the list that are innocent, and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future,” said Carl Wright, CCO at AttackIQ.
Anurag Kahol, CTO and founder of Bitglass, noted, “Dow Jones' exposed database contained sensitive details on current and former politicians, alleged and convicted criminals, citizens with possible terrorist links, companies facing sanctions, and organizations convicted of high-profile crimes. Leaving this information unprotected is both careless and irresponsible – as is failing to address the issue in detail with the public.”
According to Down Jones Financial Information Services website, the Watchlist is “Used by eight of the world’s 10 largest, global, Financial Institutions Dow Jones Watchlist is statistically proven to be the most accurate, complete, and up-to-date list of senior PEPs, their relatives and close associates.” Others on the Watchlist are person’s linked to high-profile crimes.
Organizations pay for access to the list to conduct enhanced due diligence, monitor negative news coverage of existing or prospective customers, easier deployment of a risk-based approach to PEP screening and to decrease the risk of the legal penalties and reputational damage, Dow Jones said.