“FBI’s list of 1.9 million terror suspects was online unsecured”

A watchlist of suspected terror suspects from the FBI was accessible online for a while, according to an investigator. The list contains details of 1.9 million people, including names, date of birth, passport details and no-fly status.

The list was discovered in July by a security researcher Volodymyr Diachenko on an unsecured Elasticsearch cluster, without a password. Diachenko discovered a large amount of JSON data there, he says in a LinkedIn post. In the dataset he found the name, country of residence, gender, date of birth, passport details and no-fly status of 1.9 million people. The server on which the files were stored had already been indexed by the search engines Censys and ZoomEye at that time.

According to Diachenko, the list may have come from the FBI’s Terrorist Screening Center because the list also includes people’s “tsc ID” and no-fly status. The TSC is responsible for maintaining the US terror list, which is used by various US government agencies. The watch list that the TSC creates is used by, among others, the Transportation Security Administration to intercept possible terrorists when they try to enter the United States or when they apply for visas.

The moment Diachenko discovered the list and realized what he had on his hands, he immediately contacted the Department of Homeland Security. It then took three weeks before the server containing the sensitive data was taken offline. Diachenko cannot exclude that the list has been approached by others in the meantime and does not know how long the list has been online, but that is in any case longer than three weeks.

The FBI has not yet confirmed that it is indeed a list of terror suspects from the TSC, and it is also unknown whether the server on which the list was held is owned by a US government agency. It was tied to an IP address in Bahrain, not the US.

An example from the list. Image: Bob Diachenko