Back in July, cybersecurity researcher Bob Diachenko found what seemed to be a leaked FBI watchlist naming the personal details of close to 2 million suspected terrorists. Diachenko quickly filed a report to the Department of Homeland Security, hoping the agency would issue some sort of patch to keep this data from leaking into the wrong hands, which it did — roughly three weeks later.
“It’s not clear why it took so long, and I don’t know for sure whether any unauthorised parties accessed it,” Diachenko wrote in a Monday Linkedin post describing the incident, which was first reported by Bleeping Computer. He went on to add that the exposed server where he found the watchlist was already freely available on hacker-friendly search engines like Censys and Zoomeye, no passwords needed.
According to Diachenko, the dataset came from the Terrorist Screening Centre (TSC), an FBI-led federal collective responsible for maintaining the thousands of records in the government’s no-fly list — a subset of the FBI’s much, much larger terrorist watchlist. The TSC includes “select international partners,” according to the FBI. Diachenko says the IP address linked to the leaked database was based in Bahrain.
In a nutshell, the no-fly list is exactly what it sounds like: a list of people who are branded by the federal government as potential terrorist threats and barred from boarding any planes heading into, out of, or within the U.S. as a result.
This appears to be the list — or a portion of the list — that Diachenko stumbled onto in his initial research. While he couldn’t say for sure whether the entire list was exposed in the leak, he was able to find about 1.9 million records detailing individuals’ no-fly statuses, full names, citizenship, genders, passport numbers, and more.
“I do not know how much of the full TSC Watchlist it stored,” he wrote, “but it seems plausible that the entire list was exposed.”
Apparently, this is the TSC (Terrorist Screening Centre) dataset publicly exposed (tsc_id is the only clue), with 1.9M+ records. In any case, any thoughts as of where to responsibly report? pic.twitter.com/e31pSrHnoM
— Bob Diachenko 🇺🇦 (@MayhemDayOne) July 19, 2021
Undoubtedly, a few of the names in that sea of records are going to belong to innocent people. The no-fly list is notorious for branding innocent individuals as potential threats to national security based on faulty data, and then making it near-impossible for them to get their names off. This past April, a Michigan man partnered with the American Civil Liberties Union to sue FBI Director Christopher Wray after the agency falsely accused him of being a Hezbollah agent and slapped him with the “no-fly” label.
“The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime,” Diachenko wrote. “In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.”