BreachExchange mailing list archives
Thomson Reuters World-Check Terrorist Database, Open For The World To View
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Tue, 5 Jul 2016 08:17:10 -0500
https://www.riskbasedsecurity.com/2016/07/thomson-reuters-world-check-terrorist-database-open-for-the-world-to-view/ Recent attacks in Brussels <http://www.bbc.com/news/world-europe-35869985> and Turkey’s Ataturk Airport <https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning> have shined a light on the process of identifying and tracking suspected terrorists. As MacKeeper Security Researcher Chris Vickery discovered, that process includes private companies aggregating details on millions of people suspected – but not proven – of having ties to criminal activity. In past few days, Chris reported his discovery of a “massive terror database of 2 million people” <http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T> published online without any security controls. Chris Vickery <https://www.youtube.com/watch?v=H0mlhrtb4W0>, who has become well known in the industry due to his recent disclosures affecting the Mexican <https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data> and American <http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9> governments, private companies <http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html> and several others <https://nakedsecurity.sophos.com/tag/chris-vickery/>, announced the discovery of an open, unsecured database containing details on 2.2 million persons identified as “heightened-risk individuals”. The database, which is owned by Thomson Reuters, is called World-Check <https://risk.thomsonreuters.com/products/world-check>. The purpose of the service is to provide data to banks, financial institutions, and corporations in order to comply with “know your customer” regulations as well as supplying information to law enforcement, governments and intelligence agencies. The persons included in the database are believed to have some sort of “mark” associated with their name <https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions> for one reason or another, but it appears mostly because they were found in the news. The discovery of the exposed data was announced by Chris on Reddit and the issue has since received a lot of attention, both in the media and in the security community. Chris stated that he was considering publishing this data <https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/> and he even provided a list of Pros and Cons. He has since decided not to leak the data (to many commenters displeasure) and to only share the full data with some trusted sources <https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>, one of whom is Risk Based Security (RBS). Our researchers were in contact with Chris and obtained a copy of the data for full analysis of the contents (see below). The data, provided in JSON format, was over 4GB and came from a CouchDB system. Chris confirmed to RBS that “The original leaky CouchDB had no authentication at all. No username or password necessary or requested.” There are 2,248,125 entries in the database, consisting of individuals tracked due to their alleged various ties to political, criminal or military organizations as well as other individuals. The data is aggregated from multiple public sources into a central database run by Thomson Reuters under its risk management solution product called World-Check. *What is World Check? * World-Check was a London based firm founded in 2000 by David Leppen. In 2008, World-Check acquired another company named IntegraScreen, a provider of due diligence reporting services. In 2011, World-Check was sold to Thomson Reuters Enterprise for a rumored $530M <http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/> with the goal of expanding their Governance, Risk & Compliance business. According to the World-Check homepage <https://risk.thomsonreuters.com/products/world-check>, they claim that their “information is collated from an extensive network of 100,000’s of reputable sources”. Thomson Reuters World-Check Terrorist Database, Open For The World To View July 1, 2016 By RBS <http://www.riskbasedsecurity.com/author/risk-based-security/> [image: wc] Recent attacks in Brussels <http://www.bbc.com/news/world-europe-35869985> and Turkey’s Ataturk Airport <https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning> have shined a light on the process of identifying and tracking suspected terrorists. As MacKeeper Security Researcher Chris Vickery discovered, that process includes private companies aggregating details on millions of people suspected – but not proven – of having ties to criminal activity. In past few days, Chris reported his discovery of a “massive terror database of 2 million people” <http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T> published online without any security controls. Chris Vickery <https://www.youtube.com/watch?v=H0mlhrtb4W0>, who has become well known in the industry due to his recent disclosures affecting the Mexican <https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data> and American <http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9> governments, private companies <http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html> and several others <https://nakedsecurity.sophos.com/tag/chris-vickery/>, announced the discovery of an open, unsecured database containing details on 2.2 million persons identified as “heightened-risk individuals”. The database, which is owned by Thomson Reuters, is called World-Check <https://risk.thomsonreuters.com/products/world-check>. The purpose of the service is to provide data to banks, financial institutions, and corporations in order to comply with “know your customer” regulations as well as supplying information to law enforcement, governments and intelligence agencies. The persons included in the database are believed to have some sort of “mark” associated with their name <https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions> for one reason or another, but it appears mostly because they were found in the news. The discovery of the exposed data was announced by Chris on Reddit and the issue has since received a lot of attention, both in the media and in the security community. Chris stated that he was considering publishing this data <https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/> and he even provided a list of Pros and Cons. He has since decided not to leak the data (to many commenters displeasure) and to only share the full data with some trusted sources <https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>, one of whom is Risk Based Security (RBS). Our researchers were in contact with Chris and obtained a copy of the data for full analysis of the contents (see below). The data, provided in JSON format, was over 4GB and came from a CouchDB system. Chris confirmed to RBS that “The original leaky CouchDB had no authentication at all. No username or password necessary or requested.” There are 2,248,125 entries in the database, consisting of individuals tracked due to their alleged various ties to political, criminal or military organizations as well as other individuals. The data is aggregated from multiple public sources into a central database run by Thomson Reuters under its risk management solution product called World-Check. *What is World Check? * World-Check was a London based firm founded in 2000 by David Leppen. In 2008, World-Check acquired another company named IntegraScreen, a provider of due diligence reporting services. In 2011, World-Check was sold to Thomson Reuters Enterprise for a rumored $530M <http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/> with the goal of expanding their Governance, Risk & Compliance business. According to the World-Check homepage <https://risk.thomsonreuters.com/products/world-check>, they claim that their “information is collated from an extensive network of 100,000’s of reputable sources”. [image: wc1] They further state that “in 2012 alone we identified more than 180 entities before they appeared on the US Treasury Office of Foreign Assets Control (OFAC) list based on reputable sources identifying relevant risks.” Thomson Reuters World-Check Terrorist Database, Open For The World To View July 1, 2016 By RBS <http://www.riskbasedsecurity.com/author/risk-based-security/> [image: wc] Recent attacks in Brussels <http://www.bbc.com/news/world-europe-35869985> and Turkey’s Ataturk Airport <https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning> have shined a light on the process of identifying and tracking suspected terrorists. As MacKeeper Security Researcher Chris Vickery discovered, that process includes private companies aggregating details on millions of people suspected – but not proven – of having ties to criminal activity. In past few days, Chris reported his discovery of a “massive terror database of 2 million people” <http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T> published online without any security controls. Chris Vickery <https://www.youtube.com/watch?v=H0mlhrtb4W0>, who has become well known in the industry due to his recent disclosures affecting the Mexican <https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data> and American <http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9> governments, private companies <http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html> and several others <https://nakedsecurity.sophos.com/tag/chris-vickery/>, announced the discovery of an open, unsecured database containing details on 2.2 million persons identified as “heightened-risk individuals”. The database, which is owned by Thomson Reuters, is called World-Check <https://risk.thomsonreuters.com/products/world-check>. The purpose of the service is to provide data to banks, financial institutions, and corporations in order to comply with “know your customer” regulations as well as supplying information to law enforcement, governments and intelligence agencies. The persons included in the database are believed to have some sort of “mark” associated with their name <https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions> for one reason or another, but it appears mostly because they were found in the news. The discovery of the exposed data was announced by Chris on Reddit and the issue has since received a lot of attention, both in the media and in the security community. Chris stated that he was considering publishing this data <https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/> and he even provided a list of Pros and Cons. He has since decided not to leak the data (to many commenters displeasure) and to only share the full data with some trusted sources <https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>, one of whom is Risk Based Security (RBS). Our researchers were in contact with Chris and obtained a copy of the data for full analysis of the contents (see below). The data, provided in JSON format, was over 4GB and came from a CouchDB system. Chris confirmed to RBS that “The original leaky CouchDB had no authentication at all. No username or password necessary or requested.” There are 2,248,125 entries in the database, consisting of individuals tracked due to their alleged various ties to political, criminal or military organizations as well as other individuals. The data is aggregated from multiple public sources into a central database run by Thomson Reuters under its risk management solution product called World-Check. *What is World Check? * World-Check was a London based firm founded in 2000 by David Leppen. In 2008, World-Check acquired another company named IntegraScreen, a provider of due diligence reporting services. In 2011, World-Check was sold to Thomson Reuters Enterprise for a rumored $530M <http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/> with the goal of expanding their Governance, Risk & Compliance business. According to the World-Check homepage <https://risk.thomsonreuters.com/products/world-check>, they claim that their “information is collated from an extensive network of 100,000’s of reputable sources”. [image: wc1] They further state that “in 2012 alone we identified more than 180 entities before they appeared on the US Treasury Office of Foreign Assets Control (OFAC) list based on reputable sources identifying relevant risks.” [image: wc2] *World-Check Database Analysis* In the Reddit post, Chris states <https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/> that “I have obtained a copy of the World-Check database from mid-2014”. Our analysis confirms this, as we see entries in the database starting 2000-03-17 and the last entry has an end date of 2014-09-17. The start date aligns exactly with the company founding, but why the database ends as 2014 isn’t confirmed. It is worth noting that historically we have seen issues such as this related to test servers or backups that have been forgotten. The data fields for each entry consist of the following: category, subcategories, creation dates, Social Security number, first name, last name, aliases, alternative spellings, low quality aliases, dates of birth, deceased status, further information, passports id numbers and countries, company numbers, source references, and citizenship status RBS researchers found that the Category, Further Information and Source Reference data fields offer the most interesting insight from the database. *Category Field* The category field contains over 13 different selection types, and it appears that some categories have associated subcategories as well. One of the other interesting discoveries is that World-Check is not only tracking humans, but apparently tracking vessels as well. Here is a breakdown of the Full Categories field options and the number of detections for each: - CRIME – FINANCIAL – 181,060 - CRIME – NARCOTICS – 130,115 - CRIME – OTHER – 67,606 - CRIME – ORGANIZED 46,003 - CORPORATE – 176,009 - DIPLOMAT – 66,385 - INDIVIDUAL – 928,804 - LEGAL – 82,937 - MILITARY – 16,963 - POLITICAL INDIVIDUAL – 450,591 - POLITICAL PARTY – 5,175 - TERRORISM – 76,890 - VESSEL – 918 Out of the people tracked there were 375,071 Females and 1,313,977 Males. *Further Information* The further information field appears to be broken down into different sections some of which include [BIOGRAPHY], [IDENTIFICATION] , [REPORTS]. The following provides a few examples of the type of data (we have redacted portions) included in the Further Information field: “May 2011 – arrested on suspicion of committing motor insurance fraud of approximately JPY7.5m.” “Member of 12th [REDACTED] Provincial People’s Congress representing [REDACTED] ([REDACTED]). Mayor of [REDACTED] District ([REDACTED]). Member of Communist Party of China. “ “[REPORTS] Aug 2014 – no further information reported.” “[BIOGRAPHY] Lawyer. [IDENTIFICATION] [REDACTED]. [REDACTED](PEP) (father). [REDACTED](mother).[REDACTED] (brother). [REDACTED] (brother). [REDACTED](brother). [REPORTS] Aug 2014 – no further information reported.” “[BIOGRAPHY] Suspected links to organised crime elements of a crime group affiliated with the Yamaguchi-gumi crime syndicate. [IDENTIFICATION] [REDACTED] (associate). [REDACTED] (associate). [REPORTS] May 2011 – arrested on suspicion of committing motor insurance fraud of approximately JPY7.5m.” “[BIOGRAPHY] Member of [REDACTED]Provincial People’s Congress representing [REDACTED] (Jan 2013 – ). Mayor of [REDACTED] (Feb 2012 – ). Member of Communist Party of China. [IDENTIFICATION] Native of [REDACTED]. [REPORTS] To be determined.” May 2006 – escaped from custody while serving 15-year-sentence for armed bank robbery. Jun 2006 – charged with prison escape. Jul 2006 – pleaded guilty. Sep 2006 – sentenced to 4 months imprisonment and 3 years supervised release. Previously convicted on armed robbery and violence charges. UAE. [REDACTED] (Aug 2009 – ). f.k.a. TOYOEI MARU ( – Aug 2009). FLAG: Iran (Aug 2009 – ). FORMER FLAG: Mongolia (May 2009 – Aug 2009), Japan ( – May 2009). [REPORTS] To be determined. *Source Reference* While one can argue that this data collected was pulled from already public source, the Source Reference field has what can be described as an extensive amount of raw links to sources that back up the claims made in the Further Information fields. The sources used range from the US and Chinese government to individual and small news sites. *Is this any different than the other data breaches?* As Thomson Reuters requested it to be known <https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>, they are not the only company gathering this kind of data and putting together this type of database. Also, this database isn’t the first – and clearly will not be the last – exposed on the Internet via Shodan that causes problems for its owner. However this is the first database of this type, with aggregated details on suspected terrorists or people being tracked because of their various suspect affiliations. Should we be concerned when data like this is floating around unsecured, indexed and open on the Internet? As individuals with an interest in protecting our privacy and identity, the natural focus is on how the organizations we choose to share our information with go about using and protecting the data we provide. But in the case of World-Check, this data was not given to them by the individuals in the database. Rather the company was tracking individuals via public sources and in some cases apparently making assumptions to include the person based on published information. As Chris rightly points out in his deliberations around sharing the data, “innocent people that have been put on this list deserve to know that they are on it.” In fact, many of the individuals on the list were marked as “Deceased”, perhaps one could conclude making it even more high risk if you wrongly ended up on this list. Taking it even further, this information could be construed as a pure “blacklist” of specific people and potentially could be quite dangerous if in the hands of certain governments, private companies or criminals. Certainly this is one reason why reportedly “access to its contents is granted via a strict vetting process and the signing of NDA’s <http://www.theregister.co.uk/2016/06/29/global_terror_database_worldcheck_leaked_online/>.” Chris himself appears to have some concerns over this particular issue, as he has published was he called the “Vickery Insurance File torrent <https://www.reddit.com/r/torrentlinks/comments/4qf8rn/vickery_insurance_file_torrent/> ”. Regardless whether this type of aggregated data is a concern or not since it is based on already public data, it is yet another great cautionary tale of when information security practices goes wrong. Asset Management and comprehensive data inventory is critical to an information security program and cannot be ignored, just because it is deemed as “hard” to do. Just ask JP Morgan <http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0> about the impact of neglected servers or Cabcharge about their data being exposed <https://www.riskbasedsecurity.com/2016/05/australia-cabcharge-data-exposed-still-waiting-for-a-response-much-like-their-customers/> . As for Thomson Reuters, in the future they might want to better consider the vendors <https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/> that they work with as it appears an outsourced firm know as SmartKYC <http://www.smartkyc.com/> is responsible for the leaky database as it was confirmed that they worked with them to secure the data.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Thomson Reuters World-Check Terrorist Database, Open For The World To View Inga Goddijn (Jul 05)