Researcher discovers FBI terrorist watchlist exposed online for three weeks
A security researcher called Volodymyr "Bob" Diachenko claims he found that the records of two million people had been accessible online for three weeks. Worryingly, the records belonged to people who were on the American Federal Bureau of Investigation's (FBI) terrorist watchlist. This list includes sensitive information such as the name, date of birth, and passport number of the individuals. Here are more details.
After Diachenko spotted it, watchlist stayed online for three weeks
On July 19, Diachenko discovered the watchlist online. The FBI then left the records accessible for three weeks. The Department of Homeland Security took the server housing the records offline on August 9, 2021. According to the security researcher, access to the watchlist was not restricted by a password. While online, the list was quickly indexed by search engines like Censys and ZoomEye.
Department of Homeland Security thanked researcher for his work
The sensitive data included the FBI Terrorist Screening Center's (TSC) no-fly list for America. The no-fly list is used by federal agencies including the Transportation Security Administration (TSA) to identify potential and suspicious terrorists entering the US. According to his LinkedIn post, the researcher reportedly alerted the Department of Homeland Security officials who acknowledged the incident and thanked Diachenko for his work.
List could be used to harass, oppress people: Diachenko
In fact, Diachenko noted that the server with the records was hosted on a Bahrain IP address, not an American one. Diachenko noted that in the wrong hands, this list could be used to "oppress, harass, or persecute people on the list or their families". It could also cause personal and professional problems for the innocents on the list.
False positives on the no-fly list is a common occurrence
The Verge reported that innocents on no-fly lists aren't a rare occurrence. In 2008, one US airline alone recorded 9,000 false positives in a single day. Since 2014, when US citizens and residents are put on the list, the government must notify them.
Copy of the list probably exists on someone's computer now
"The Department of Homeland Security did not provide any further official comment, though (beyond thanking Diachenko)," his LinkedIn post noted. In today's age of internet-reliant society it is not hard to imagine that somewhere on the internet, a copy of the database still exists. After all, it was indexed by search engines and online for three weeks after Diachenko discovered it.