[BreachExchange] Thomson Reuters World-Check Terrorist Database, Open For The World To View
Inga Goddijn
inga at riskbasedsecurity.com
Tue Jul 5 09:17:10 EDT 2016
https://www.riskbasedsecurity.com/2016/07/thomson-reuters-world-check-terrorist-database-open-for-the-world-to-view/
Recent attacks in Brussels <http://www.bbc.com/news/world-europe-35869985>
and Turkey’s Ataturk Airport
<https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning>
have shined a light on the process of identifying and tracking suspected
terrorists. As MacKeeper Security Researcher Chris Vickery discovered, that
process includes private companies aggregating details on millions of
people suspected – but not proven – of having ties to criminal activity. In
past few days, Chris reported his discovery of a “massive terror database
of 2 million people”
<http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T>
published online without any security controls.
Chris Vickery <https://www.youtube.com/watch?v=H0mlhrtb4W0>, who has become
well known in the industry due to his recent disclosures affecting the
Mexican
<https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data>
and American
<http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9>
governments, private companies
<http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html>
and several others <https://nakedsecurity.sophos.com/tag/chris-vickery/>,
announced the discovery of an open, unsecured database containing details
on 2.2 million persons identified as “heightened-risk individuals”. The
database, which is owned by Thomson Reuters, is called World-Check
<https://risk.thomsonreuters.com/products/world-check>. The purpose of the
service is to provide data to banks, financial institutions, and
corporations in order to comply with “know your customer” regulations as
well as supplying information to law enforcement, governments and
intelligence agencies. The persons included in the database are believed to
have some sort of “mark” associated with their name
<https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions>
for one reason or another, but it appears mostly because they were found in
the news.
The discovery of the exposed data was announced by Chris on Reddit and the
issue has since received a lot of attention, both in the media and in the
security community. Chris stated that he was considering publishing this
data
<https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>
and he even provided a list of Pros and Cons. He has since decided not to
leak the data (to many commenters displeasure) and to only share the full
data with some trusted sources
<https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>,
one of whom is Risk Based Security (RBS). Our researchers were in contact
with Chris and obtained a copy of the data for full analysis of the
contents (see below).
The data, provided in JSON format, was over 4GB and came from a CouchDB
system. Chris confirmed to RBS that “The original leaky CouchDB had no
authentication at all. No username or password necessary or requested.”
There are 2,248,125 entries in the database, consisting of individuals
tracked due to their alleged various ties to political, criminal or
military organizations as well as other individuals. The data is aggregated
from multiple public sources into a central database run by Thomson Reuters
under its risk management solution product called World-Check.
*What is World Check? *
World-Check was a London based firm founded in 2000 by David Leppen. In
2008, World-Check acquired another company named IntegraScreen, a provider
of due diligence reporting services. In 2011, World-Check was sold to
Thomson Reuters Enterprise for a rumored $530M
<http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/>
with the goal of expanding their Governance, Risk & Compliance business.
According to the World-Check homepage
<https://risk.thomsonreuters.com/products/world-check>, they claim that
their “information is collated from an extensive network of 100,000’s of
reputable sources”.
Thomson Reuters World-Check Terrorist Database, Open For The World To View
July 1, 2016 By RBS
<http://www.riskbasedsecurity.com/author/risk-based-security/>
[image: wc]
Recent attacks in Brussels <http://www.bbc.com/news/world-europe-35869985>
and Turkey’s Ataturk Airport
<https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning>
have shined a light on the process of identifying and tracking suspected
terrorists. As MacKeeper Security Researcher Chris Vickery discovered, that
process includes private companies aggregating details on millions of
people suspected – but not proven – of having ties to criminal activity. In
past few days, Chris reported his discovery of a “massive terror database
of 2 million people”
<http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T>
published online without any security controls.
Chris Vickery <https://www.youtube.com/watch?v=H0mlhrtb4W0>, who has become
well known in the industry due to his recent disclosures affecting the
Mexican
<https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data>
and American
<http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9>
governments, private companies
<http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html>
and several others <https://nakedsecurity.sophos.com/tag/chris-vickery/>,
announced the discovery of an open, unsecured database containing details
on 2.2 million persons identified as “heightened-risk individuals”. The
database, which is owned by Thomson Reuters, is called World-Check
<https://risk.thomsonreuters.com/products/world-check>. The purpose of the
service is to provide data to banks, financial institutions, and
corporations in order to comply with “know your customer” regulations as
well as supplying information to law enforcement, governments and
intelligence agencies. The persons included in the database are believed to
have some sort of “mark” associated with their name
<https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions>
for one reason or another, but it appears mostly because they were found in
the news.
The discovery of the exposed data was announced by Chris on Reddit and the
issue has since received a lot of attention, both in the media and in the
security community. Chris stated that he was considering publishing this
data
<https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>
and he even provided a list of Pros and Cons. He has since decided not to
leak the data (to many commenters displeasure) and to only share the full
data with some trusted sources
<https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>,
one of whom is Risk Based Security (RBS). Our researchers were in contact
with Chris and obtained a copy of the data for full analysis of the
contents (see below).
The data, provided in JSON format, was over 4GB and came from a CouchDB
system. Chris confirmed to RBS that “The original leaky CouchDB had no
authentication at all. No username or password necessary or requested.”
There are 2,248,125 entries in the database, consisting of individuals
tracked due to their alleged various ties to political, criminal or
military organizations as well as other individuals. The data is aggregated
from multiple public sources into a central database run by Thomson Reuters
under its risk management solution product called World-Check.
*What is World Check? *
World-Check was a London based firm founded in 2000 by David Leppen. In
2008, World-Check acquired another company named IntegraScreen, a provider
of due diligence reporting services. In 2011, World-Check was sold to
Thomson Reuters Enterprise for a rumored $530M
<http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/>
with the goal of expanding their Governance, Risk & Compliance business.
According to the World-Check homepage
<https://risk.thomsonreuters.com/products/world-check>, they claim that
their “information is collated from an extensive network of 100,000’s of
reputable sources”.
[image: wc1]
They further state that “in 2012 alone we identified more than 180 entities
before they appeared on the US Treasury Office of Foreign Assets Control
(OFAC) list based on reputable sources identifying relevant risks.”
Thomson Reuters World-Check Terrorist Database, Open For The World To View
July 1, 2016 By RBS
<http://www.riskbasedsecurity.com/author/risk-based-security/>
[image: wc]
Recent attacks in Brussels <http://www.bbc.com/news/world-europe-35869985>
and Turkey’s Ataturk Airport
<https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning>
have shined a light on the process of identifying and tracking suspected
terrorists. As MacKeeper Security Researcher Chris Vickery discovered, that
process includes private companies aggregating details on millions of
people suspected – but not proven – of having ties to criminal activity. In
past few days, Chris reported his discovery of a “massive terror database
of 2 million people”
<http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T>
published online without any security controls.
Chris Vickery <https://www.youtube.com/watch?v=H0mlhrtb4W0>, who has become
well known in the industry due to his recent disclosures affecting the
Mexican
<https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data>
and American
<http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9>
governments, private companies
<http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html>
and several others <https://nakedsecurity.sophos.com/tag/chris-vickery/>,
announced the discovery of an open, unsecured database containing details
on 2.2 million persons identified as “heightened-risk individuals”. The
database, which is owned by Thomson Reuters, is called World-Check
<https://risk.thomsonreuters.com/products/world-check>. The purpose of the
service is to provide data to banks, financial institutions, and
corporations in order to comply with “know your customer” regulations as
well as supplying information to law enforcement, governments and
intelligence agencies. The persons included in the database are believed to
have some sort of “mark” associated with their name
<https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions>
for one reason or another, but it appears mostly because they were found in
the news.
The discovery of the exposed data was announced by Chris on Reddit and the
issue has since received a lot of attention, both in the media and in the
security community. Chris stated that he was considering publishing this
data
<https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>
and he even provided a list of Pros and Cons. He has since decided not to
leak the data (to many commenters displeasure) and to only share the full
data with some trusted sources
<https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>,
one of whom is Risk Based Security (RBS). Our researchers were in contact
with Chris and obtained a copy of the data for full analysis of the
contents (see below).
The data, provided in JSON format, was over 4GB and came from a CouchDB
system. Chris confirmed to RBS that “The original leaky CouchDB had no
authentication at all. No username or password necessary or requested.”
There are 2,248,125 entries in the database, consisting of individuals
tracked due to their alleged various ties to political, criminal or
military organizations as well as other individuals. The data is aggregated
from multiple public sources into a central database run by Thomson Reuters
under its risk management solution product called World-Check.
*What is World Check? *
World-Check was a London based firm founded in 2000 by David Leppen. In
2008, World-Check acquired another company named IntegraScreen, a provider
of due diligence reporting services. In 2011, World-Check was sold to
Thomson Reuters Enterprise for a rumored $530M
<http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/>
with the goal of expanding their Governance, Risk & Compliance business.
According to the World-Check homepage
<https://risk.thomsonreuters.com/products/world-check>, they claim that
their “information is collated from an extensive network of 100,000’s of
reputable sources”.
[image: wc1]
They further state that “in 2012 alone we identified more than 180 entities
before they appeared on the US Treasury Office of Foreign Assets Control
(OFAC) list based on reputable sources identifying relevant risks.”
[image: wc2]
*World-Check Database Analysis*
In the Reddit post, Chris states
<https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>
that “I have obtained a copy of the World-Check database from mid-2014”.
Our analysis confirms this, as we see entries in the database starting
2000-03-17 and the last entry has an end date of 2014-09-17. The start
date aligns exactly with the company founding, but why the database ends as
2014 isn’t confirmed. It is worth noting that historically we have seen
issues such as this related to test servers or backups that have been
forgotten.
The data fields for each entry consist of the following:
category, subcategories, creation dates, Social Security number, first
name, last name, aliases, alternative spellings, low quality aliases, dates
of birth, deceased status, further information, passports id numbers and
countries, company numbers, source references, and citizenship status
RBS researchers found that the Category, Further Information and Source
Reference data fields offer the most interesting insight from the database.
*Category Field*
The category field contains over 13 different selection types, and it
appears that some categories have associated subcategories as well. One of
the other interesting discoveries is that World-Check is not only tracking
humans, but apparently tracking vessels as well.
Here is a breakdown of the Full Categories field options and the number of
detections for each:
- CRIME – FINANCIAL – 181,060
- CRIME – NARCOTICS – 130,115
- CRIME – OTHER – 67,606
- CRIME – ORGANIZED 46,003
- CORPORATE – 176,009
- DIPLOMAT – 66,385
- INDIVIDUAL – 928,804
- LEGAL – 82,937
- MILITARY – 16,963
- POLITICAL INDIVIDUAL – 450,591
- POLITICAL PARTY – 5,175
- TERRORISM – 76,890
- VESSEL – 918
Out of the people tracked there were 375,071 Females and 1,313,977 Males.
*Further Information*
The further information field appears to be broken down into different
sections some of which include [BIOGRAPHY], [IDENTIFICATION] , [REPORTS].
The following provides a few examples of the type of data (we have redacted
portions) included in the Further Information field:
“May 2011 – arrested on suspicion of committing motor insurance fraud of
approximately JPY7.5m.”
“Member of 12th [REDACTED] Provincial People’s Congress representing
[REDACTED] ([REDACTED]). Mayor of [REDACTED] District ([REDACTED]). Member
of Communist Party of China. “
“[REPORTS] Aug 2014 – no further information reported.”
“[BIOGRAPHY] Lawyer. [IDENTIFICATION] [REDACTED]. [REDACTED](PEP) (father).
[REDACTED](mother).[REDACTED] (brother). [REDACTED] (brother).
[REDACTED](brother). [REPORTS] Aug 2014 – no further information reported.”
“[BIOGRAPHY] Suspected links to organised crime elements of a crime group
affiliated with the Yamaguchi-gumi crime syndicate. [IDENTIFICATION]
[REDACTED] (associate). [REDACTED] (associate). [REPORTS] May 2011 –
arrested on suspicion of committing motor insurance fraud of approximately
JPY7.5m.”
“[BIOGRAPHY] Member of [REDACTED]Provincial People’s Congress representing
[REDACTED] (Jan 2013 – ). Mayor of [REDACTED] (Feb 2012 – ). Member of
Communist Party of China. [IDENTIFICATION] Native of [REDACTED]. [REPORTS]
To be determined.”
May 2006 – escaped from custody while serving 15-year-sentence for armed
bank robbery. Jun 2006 – charged with prison escape. Jul 2006 – pleaded
guilty. Sep 2006 – sentenced to 4 months imprisonment and 3 years
supervised release. Previously convicted on armed robbery and violence
charges.
UAE. [REDACTED] (Aug 2009 – ). f.k.a. TOYOEI MARU ( – Aug 2009). FLAG: Iran
(Aug 2009 – ). FORMER FLAG: Mongolia (May 2009 – Aug 2009), Japan ( – May
2009). [REPORTS] To be determined.
*Source Reference*
While one can argue that this data collected was pulled from already public
source, the Source Reference field has what can be described as an
extensive amount of raw links to sources that back up the claims made in
the Further Information fields. The sources used range from the US and
Chinese government to individual and small news sites.
*Is this any different than the other data breaches?*
As Thomson Reuters requested it to be known
<https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/>,
they are not the only company gathering this kind of data and putting
together this type of database. Also, this database isn’t the first – and
clearly will not be the last – exposed on the Internet via Shodan that
causes problems for its owner. However this is the first database of this
type, with aggregated details on suspected terrorists or people being
tracked because of their various suspect affiliations.
Should we be concerned when data like this is floating around unsecured,
indexed and open on the Internet? As individuals with an interest in
protecting our privacy and identity, the natural focus is on how the
organizations we choose to share our information with go about using and
protecting the data we provide. But in the case of World-Check, this data
was not given to them by the individuals in the database. Rather the
company was tracking individuals via public sources and in some cases
apparently making assumptions to include the person based on published
information. As Chris rightly points out in his deliberations around
sharing the data, “innocent people that have been put on this list deserve
to know that they are on it.” In fact, many of the individuals on the list
were marked as “Deceased”, perhaps one could conclude making it even more
high risk if you wrongly ended up on this list. Taking it even further,
this information could be construed as a pure “blacklist” of specific
people and potentially could be quite dangerous if in the hands of certain
governments, private companies or criminals. Certainly this is one reason
why reportedly “access to its contents is granted via a strict vetting
process and the signing of NDA’s
<http://www.theregister.co.uk/2016/06/29/global_terror_database_worldcheck_leaked_online/>.”
Chris himself appears to have some concerns over this particular issue,
as he has published was he called the “Vickery Insurance File torrent
<https://www.reddit.com/r/torrentlinks/comments/4qf8rn/vickery_insurance_file_torrent/>
”.
Regardless whether this type of aggregated data is a concern or not since
it is based on already public data, it is yet another great cautionary tale
of when information security practices goes wrong. Asset Management and
comprehensive data inventory is critical to an information security program
and cannot be ignored, just because it is deemed as “hard” to do. Just ask
JP Morgan
<http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0>
about the impact of neglected servers or Cabcharge about their data being
exposed
<https://www.riskbasedsecurity.com/2016/05/australia-cabcharge-data-exposed-still-waiting-for-a-response-much-like-their-customers/>
.
As for Thomson Reuters, in the future they might want to better consider
the vendors
<https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/>
that they work with as it appears an outsourced firm know as SmartKYC
<http://www.smartkyc.com/> is responsible for the leaky database as it was
confirmed that they worked with them to secure the data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160705/2b553a56/attachment.html>
More information about the BreachExchange
mailing list