<div dir="ltr"><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.riskbasedsecurity.com/2016/07/thomson-reuters-world-check-terrorist-database-open-for-the-world-to-view/">https://www.riskbasedsecurity.com/2016/07/thomson-reuters-world-check-terrorist-database-open-for-the-world-to-view/</a><br><span style="font-weight:400"><br>Recent attacks in </span><a href="http://www.bbc.com/news/world-europe-35869985" target="_blank"><span style="font-weight:400">Brussels</span></a><span style="font-weight:400"> and </span><a href="https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning" target="_blank"><span style="font-weight:400">Turkey’s Ataturk Airport</span></a><span style="font-weight:400">
have shined a light on the process of identifying and tracking
suspected terrorists. As MacKeeper Security Researcher Chris Vickery
discovered, that process includes private companies aggregating details
on millions of people suspected – but not proven – of having ties to
criminal activity. In past few days, Chris reported his discovery of a </span><a href="http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T" target="_blank"><span style="font-weight:400">“massive terror database of 2 million people”</span></a><span style="font-weight:400"> published online without any security controls. </span>
<p><span style="font-weight:400"><a href="https://www.youtube.com/watch?v=H0mlhrtb4W0" target="_blank">Chris Vickery</a>, who has become well known in the industry due to his recent disclosures affecting the </span><a href="https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data" target="_blank"><span style="font-weight:400">Mexican</span></a><span style="font-weight:400"> and </span><a href="http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9" target="_blank"><span style="font-weight:400">American</span></a><span style="font-weight:400"> governments, </span><a href="http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html" target="_blank"><span style="font-weight:400">private companies</span></a><span style="font-weight:400"> and </span><a href="https://nakedsecurity.sophos.com/tag/chris-vickery/" target="_blank"><span style="font-weight:400">several others</span></a><span style="font-weight:400">,
announced the discovery of an open, unsecured database containing
details on 2.2 million persons identified as “heightened-risk
individuals”. The database, which is owned by Thomson Reuters, is called
</span><a href="https://risk.thomsonreuters.com/products/world-check" target="_blank"><span style="font-weight:400">World-Check</span></a><span style="font-weight:400">.
The purpose of the service is to provide data to banks, financial
institutions, and corporations in order to comply with “know your
customer” regulations as well as supplying information to law
enforcement, governments and intelligence agencies. The persons included
in the database are believed to have</span><a href="https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions" target="_blank"><span style="font-weight:400"> some sort of “mark” associated with their name</span></a><span style="font-weight:400"> for one reason or another, but it appears mostly because they were found in the news.</span></p>
<p><span style="font-weight:400">The discovery of the exposed data was
announced by Chris on Reddit and the issue has since received a lot of
attention, both in the media and in the security community. Chris stated
that he was considering </span><a href="https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/" target="_blank"><span style="font-weight:400">publishing this data</span></a><span style="font-weight:400"> and he even provided a list of Pros and Cons. He has since </span><a href="https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/" target="_blank"><span style="font-weight:400">decided not to leak the data (to many commenters displeasure) and to only share the full data with some trusted sources</span></a><span style="font-weight:400">,
one of whom is Risk Based Security (RBS). Our researchers were in
contact with Chris and obtained a copy of the data for full analysis of
the contents (see below). </span></p>
<p><span style="font-weight:400">The data, provided in JSON format,
was over 4GB and came from a CouchDB system. Chris confirmed to RBS that
“The original leaky CouchDB had no authentication at all. No username
or password necessary or requested.” There are 2,248,125 entries in the
database, consisting of individuals tracked due to their alleged various
ties to political, criminal or military organizations as well as other
individuals. The data is aggregated from multiple public sources into a
central database run by Thomson Reuters under its risk management
solution product called World-Check. </span></p>
<p><b>What is World Check? </b></p>
<p><span style="font-weight:400">World-Check was a London based firm
founded in 2000 by David Leppen. In 2008, World-Check acquired another
company named IntegraScreen, a provider of due diligence reporting
services. In 2011, World-Check was </span><a href="http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/" target="_blank"><span style="font-weight:400">sold to Thomson Reuters Enterprise for a rumored $530M</span></a><span style="font-weight:400"> with the goal of expanding their Governance, Risk & Compliance business.</span></p>
<p><span style="font-weight:400">According to the </span><a href="https://risk.thomsonreuters.com/products/world-check" target="_blank"><span style="font-weight:400">World-Check homepage</span></a><span style="font-weight:400">, they claim that their “information is collated from an extensive network of 100,000’s of reputable sources”.</span></p><p><br>
</p><h1 class="">Thomson Reuters World-Check Terrorist Database, Open For The World To View</h1>
<div class=""><span class="" title="2016-07-01T14:52:45-0400">July 1, 2016</span> By <span class=""><span class=""><a href="http://www.riskbasedsecurity.com/author/risk-based-security/" title="Posts by RBS" rel="author">RBS</a></span></span> </div>
<p><span style="font-weight:400"><img class="" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/07/wc-300x217.png" alt="wc" height="462" width="640"></span></p>
<p><span style="font-weight:400">Recent attacks in </span><a href="http://www.bbc.com/news/world-europe-35869985" target="_blank"><span style="font-weight:400">Brussels</span></a><span style="font-weight:400"> and </span><a href="https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning" target="_blank"><span style="font-weight:400">Turkey’s Ataturk Airport</span></a><span style="font-weight:400">
have shined a light on the process of identifying and tracking
suspected terrorists. As MacKeeper Security Researcher Chris Vickery
discovered, that process includes private companies aggregating details
on millions of people suspected – but not proven – of having ties to
criminal activity. In past few days, Chris reported his discovery of a </span><a href="http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T" target="_blank"><span style="font-weight:400">“massive terror database of 2 million people”</span></a><span style="font-weight:400"> published online without any security controls. </span></p>
<p><span style="font-weight:400"><a href="https://www.youtube.com/watch?v=H0mlhrtb4W0" target="_blank">Chris Vickery</a>, who has become well known in the industry due to his recent disclosures affecting the </span><a href="https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data" target="_blank"><span style="font-weight:400">Mexican</span></a><span style="font-weight:400"> and </span><a href="http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9" target="_blank"><span style="font-weight:400">American</span></a><span style="font-weight:400"> governments, </span><a href="http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html" target="_blank"><span style="font-weight:400">private companies</span></a><span style="font-weight:400"> and </span><a href="https://nakedsecurity.sophos.com/tag/chris-vickery/" target="_blank"><span style="font-weight:400">several others</span></a><span style="font-weight:400">,
announced the discovery of an open, unsecured database containing
details on 2.2 million persons identified as “heightened-risk
individuals”. The database, which is owned by Thomson Reuters, is called
</span><a href="https://risk.thomsonreuters.com/products/world-check" target="_blank"><span style="font-weight:400">World-Check</span></a><span style="font-weight:400">.
The purpose of the service is to provide data to banks, financial
institutions, and corporations in order to comply with “know your
customer” regulations as well as supplying information to law
enforcement, governments and intelligence agencies. The persons included
in the database are believed to have</span><a href="https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions" target="_blank"><span style="font-weight:400"> some sort of “mark” associated with their name</span></a><span style="font-weight:400"> for one reason or another, but it appears mostly because they were found in the news.</span></p>
<p><span style="font-weight:400">The discovery of the exposed data was
announced by Chris on Reddit and the issue has since received a lot of
attention, both in the media and in the security community. Chris stated
that he was considering </span><a href="https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/" target="_blank"><span style="font-weight:400">publishing this data</span></a><span style="font-weight:400"> and he even provided a list of Pros and Cons. He has since </span><a href="https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/" target="_blank"><span style="font-weight:400">decided not to leak the data (to many commenters displeasure) and to only share the full data with some trusted sources</span></a><span style="font-weight:400">,
one of whom is Risk Based Security (RBS). Our researchers were in
contact with Chris and obtained a copy of the data for full analysis of
the contents (see below). </span></p>
<p><span style="font-weight:400">The data, provided in JSON format,
was over 4GB and came from a CouchDB system. Chris confirmed to RBS that
“The original leaky CouchDB had no authentication at all. No username
or password necessary or requested.” There are 2,248,125 entries in the
database, consisting of individuals tracked due to their alleged various
ties to political, criminal or military organizations as well as other
individuals. The data is aggregated from multiple public sources into a
central database run by Thomson Reuters under its risk management
solution product called World-Check. </span></p>
<p><b>What is World Check? </b></p>
<p><span style="font-weight:400">World-Check was a London based firm
founded in 2000 by David Leppen. In 2008, World-Check acquired another
company named IntegraScreen, a provider of due diligence reporting
services. In 2011, World-Check was </span><a href="http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/" target="_blank"><span style="font-weight:400">sold to Thomson Reuters Enterprise for a rumored $530M</span></a><span style="font-weight:400"> with the goal of expanding their Governance, Risk & Compliance business.</span></p>
<p><span style="font-weight:400">According to the </span><a href="https://risk.thomsonreuters.com/products/world-check" target="_blank"><span style="font-weight:400">World-Check homepage</span></a><span style="font-weight:400">, they claim that their “information is collated from an extensive network of 100,000’s of reputable sources”.</span></p>
<p><img class="" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/07/wc1.png" alt="wc1" height="352" width="693"></p>
<p><span style="font-weight:400">They further state that “in 2012
alone we identified more than 180 entities before they appeared on the
US Treasury Office of Foreign Assets Control (OFAC) list based on
reputable sources identifying relevant risks.”</span></p><p><br>
</p><h1 class="">Thomson Reuters World-Check Terrorist Database, Open For The World To View</h1>
<div class=""><span class="" title="2016-07-01T14:52:45-0400">July 1, 2016</span> By <span class=""><span class=""><a href="http://www.riskbasedsecurity.com/author/risk-based-security/" title="Posts by RBS" rel="author">RBS</a></span></span> </div>
<p><span style="font-weight:400"><img class="" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/07/wc-300x217.png" alt="wc" height="462" width="640"></span></p>
<p><span style="font-weight:400">Recent attacks in </span><a href="http://www.bbc.com/news/world-europe-35869985" target="_blank"><span style="font-weight:400">Brussels</span></a><span style="font-weight:400"> and </span><a href="https://www.theguardian.com/world/2016/jun/29/istanbul-ataturk-airport-attack-turkey-declares-day-of-mourning" target="_blank"><span style="font-weight:400">Turkey’s Ataturk Airport</span></a><span style="font-weight:400">
have shined a light on the process of identifying and tracking
suspected terrorists. As MacKeeper Security Researcher Chris Vickery
discovered, that process includes private companies aggregating details
on millions of people suspected – but not proven – of having ties to
criminal activity. In past few days, Chris reported his discovery of a </span><a href="http://www.businessinsider.com.au/world-check-terrorism-database-leaks-online-security-researcher-chris-vickery-claims-thomson-reuters-2016-6?r=UK&IR=T" target="_blank"><span style="font-weight:400">“massive terror database of 2 million people”</span></a><span style="font-weight:400"> published online without any security controls. </span></p>
<p><span style="font-weight:400"><a href="https://www.youtube.com/watch?v=H0mlhrtb4W0" target="_blank">Chris Vickery</a>, who has become well known in the industry due to his recent disclosures affecting the </span><a href="https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data" target="_blank"><span style="font-weight:400">Mexican</span></a><span style="font-weight:400"> and </span><a href="http://www.forbes.com/sites/thomasbrewster/2015/12/28/us-voter-database-leak/#7cb6f84b1bb9" target="_blank"><span style="font-weight:400">American</span></a><span style="font-weight:400"> governments, </span><a href="http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html" target="_blank"><span style="font-weight:400">private companies</span></a><span style="font-weight:400"> and </span><a href="https://nakedsecurity.sophos.com/tag/chris-vickery/" target="_blank"><span style="font-weight:400">several others</span></a><span style="font-weight:400">,
announced the discovery of an open, unsecured database containing
details on 2.2 million persons identified as “heightened-risk
individuals”. The database, which is owned by Thomson Reuters, is called
</span><a href="https://risk.thomsonreuters.com/products/world-check" target="_blank"><span style="font-weight:400">World-Check</span></a><span style="font-weight:400">.
The purpose of the service is to provide data to banks, financial
institutions, and corporations in order to comply with “know your
customer” regulations as well as supplying information to law
enforcement, governments and intelligence agencies. The persons included
in the database are believed to have</span><a href="https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions" target="_blank"><span style="font-weight:400"> some sort of “mark” associated with their name</span></a><span style="font-weight:400"> for one reason or another, but it appears mostly because they were found in the news.</span></p>
<p><span style="font-weight:400">The discovery of the exposed data was
announced by Chris on Reddit and the issue has since received a lot of
attention, both in the media and in the security community. Chris stated
that he was considering </span><a href="https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/" target="_blank"><span style="font-weight:400">publishing this data</span></a><span style="font-weight:400"> and he even provided a list of Pros and Cons. He has since </span><a href="https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/" target="_blank"><span style="font-weight:400">decided not to leak the data (to many commenters displeasure) and to only share the full data with some trusted sources</span></a><span style="font-weight:400">,
one of whom is Risk Based Security (RBS). Our researchers were in
contact with Chris and obtained a copy of the data for full analysis of
the contents (see below). </span></p>
<p><span style="font-weight:400">The data, provided in JSON format,
was over 4GB and came from a CouchDB system. Chris confirmed to RBS that
“The original leaky CouchDB had no authentication at all. No username
or password necessary or requested.” There are 2,248,125 entries in the
database, consisting of individuals tracked due to their alleged various
ties to political, criminal or military organizations as well as other
individuals. The data is aggregated from multiple public sources into a
central database run by Thomson Reuters under its risk management
solution product called World-Check. </span></p>
<p><b>What is World Check? </b></p>
<p><span style="font-weight:400">World-Check was a London based firm
founded in 2000 by David Leppen. In 2008, World-Check acquired another
company named IntegraScreen, a provider of due diligence reporting
services. In 2011, World-Check was </span><a href="http://fortune.com/2011/05/17/thomson-reuters-buying-crime-prevention-company-for-530-million/" target="_blank"><span style="font-weight:400">sold to Thomson Reuters Enterprise for a rumored $530M</span></a><span style="font-weight:400"> with the goal of expanding their Governance, Risk & Compliance business.</span></p>
<p><span style="font-weight:400">According to the </span><a href="https://risk.thomsonreuters.com/products/world-check" target="_blank"><span style="font-weight:400">World-Check homepage</span></a><span style="font-weight:400">, they claim that their “information is collated from an extensive network of 100,000’s of reputable sources”.</span></p>
<p><img class="" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/07/wc1.png" alt="wc1" height="352" width="693"></p>
<p><span style="font-weight:400">They further state that “in 2012
alone we identified more than 180 entities before they appeared on the
US Treasury Office of Foreign Assets Control (OFAC) list based on
reputable sources identifying relevant risks.”</span></p>
<p><img class="" src="https://www.riskbasedsecurity.com/wp-content/uploads/2016/07/wc2.png" alt="wc2" height="291" width="762"></p>
<p><b>World-Check Database Analysis</b></p>
<p><span style="font-weight:400">In the Reddit post, </span><a href="https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/" target="_blank"><span style="font-weight:400">Chris states</span></a><span style="font-weight:400">
that “I have obtained a copy of the World-Check database from
mid-2014”. Our analysis confirms this, as we see entries in the
database starting 2000-03-17 and the last entry has an end date of
2014-09-17. The start date aligns exactly with the company founding,
but why the database ends as 2014 isn’t confirmed. It is worth noting
that historically we have seen issues such as this related to test
servers or backups that have been forgotten.</span></p>
<p><span style="font-weight:400">The data fields for each entry consist of the following:</span></p>
<blockquote><p><span style="font-weight:400">category, subcategories,
creation dates, Social Security number, first name, last name, aliases,
alternative spellings, low quality aliases, dates of birth, deceased
status, further information, passports id numbers and countries, company
numbers, source references, and citizenship status</span></p></blockquote>
<p><span style="font-weight:400">RBS researchers found that the
Category, Further Information and Source Reference data fields offer the
most interesting insight from the database. </span></p>
<p><b>Category Field</b></p>
<p><span style="font-weight:400">The category field contains over 13
different selection types, and it appears that some categories have
associated subcategories as well. One of the other interesting
discoveries is that World-Check is not only tracking humans, but
apparently tracking vessels as well. </span></p>
<p><span style="font-weight:400">Here is a breakdown of the Full Categories field options and the number of detections for each:</span></p>
<ul><li style="font-weight:400"><span style="font-weight:400">CRIME – FINANCIAL – 181,060</span></li><li style="font-weight:400"><span style="font-weight:400">CRIME – NARCOTICS – 130,115</span></li><li style="font-weight:400"><span style="font-weight:400">CRIME – OTHER – 67,606</span></li><li style="font-weight:400"><span style="font-weight:400">CRIME – ORGANIZED 46,003</span></li><li style="font-weight:400"><span style="font-weight:400">CORPORATE – 176,009</span></li><li style="font-weight:400"><span style="font-weight:400">DIPLOMAT – 66,385</span></li><li style="font-weight:400"><span style="font-weight:400">INDIVIDUAL – 928,804</span></li><li style="font-weight:400"><span style="font-weight:400">LEGAL – 82,937</span></li><li style="font-weight:400"><span style="font-weight:400">MILITARY – 16,963</span></li><li style="font-weight:400"><span style="font-weight:400">POLITICAL INDIVIDUAL – 450,591</span></li><li style="font-weight:400"><span style="font-weight:400">POLITICAL PARTY – 5,175</span></li><li style="font-weight:400"><span style="font-weight:400">TERRORISM – 76,890</span></li><li style="font-weight:400"><span style="font-weight:400">VESSEL – 918</span></li></ul>
<p><span style="font-weight:400">Out of the people tracked there were 375,071 Females and 1,313,977 Males.</span></p>
<p><b>Further Information</b></p>
<p><span style="font-weight:400">The further information field appears
to be broken down into different sections some of which include
[BIOGRAPHY], [IDENTIFICATION] , [REPORTS].</span></p>
<p><span style="font-weight:400">The following provides a few examples of the type of data (we have redacted portions) included in the Further Information field:</span></p>
<blockquote><p><span style="font-weight:400">“May 2011 – arrested on suspicion of committing motor insurance fraud of approximately JPY7.5m.”</span></p>
<p><span style="font-weight:400">“Member of 12th [REDACTED] Provincial
People’s Congress representing [REDACTED] ([REDACTED]). Mayor of
[REDACTED] District ([REDACTED]). Member of Communist Party of China. “</span></p>
<p><span style="font-weight:400">“[REPORTS] Aug 2014 – no further information reported.”</span></p>
<p><span style="font-weight:400">“[BIOGRAPHY] Lawyer. [IDENTIFICATION]
[REDACTED]. [REDACTED](PEP) (father). [REDACTED](mother).[REDACTED]
(brother). [REDACTED] (brother). [REDACTED](brother). [REPORTS] Aug 2014
– no further information reported.”</span></p>
<p><span style="font-weight:400">“[BIOGRAPHY] Suspected links to
organised crime elements of a crime group affiliated with the
Yamaguchi-gumi crime syndicate. [IDENTIFICATION] [REDACTED] (associate).
[REDACTED] (associate). [REPORTS] May 2011 – arrested on suspicion of
committing motor insurance fraud of approximately JPY7.5m.”</span></p>
<p><span style="font-weight:400">“[BIOGRAPHY] Member of
[REDACTED]Provincial People’s Congress representing [REDACTED] (Jan 2013
– ). Mayor of [REDACTED] (Feb 2012 – ). Member of Communist Party of
China. [IDENTIFICATION] Native of [REDACTED]. [REPORTS] To be
determined.”</span></p>
<p><span style="font-weight:400">May 2006 – escaped from custody while
serving 15-year-sentence for armed bank robbery. Jun 2006 – charged
with prison escape. Jul 2006 – pleaded guilty. Sep 2006 – sentenced to 4
months imprisonment and 3 years supervised release. Previously
convicted on armed robbery and violence charges.</span></p>
<p><span style="font-weight:400">UAE. [REDACTED] (Aug 2009 – ). f.k.a.
TOYOEI MARU ( – Aug 2009). FLAG: Iran (Aug 2009 – ). FORMER FLAG:
Mongolia (May 2009 – Aug 2009), Japan ( – May 2009). [REPORTS] To be
determined.</span></p></blockquote>
<p><b>Source Reference</b></p>
<p><span style="font-weight:400">While one can argue that this data
collected was pulled from already public source, the Source Reference
field has what can be described as an extensive amount of raw links to
sources that back up the claims made in the Further Information fields.
The sources used range from the US and Chinese government to individual
and small news sites. <br></span></p><p><b>Is this any different than the other data breaches?</b></p>
<p><span style="font-weight:400">As </span><a href="https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/" target="_blank"><span style="font-weight:400">Thomson Reuters requested it to be known</span></a><span style="font-weight:400">,
they are not the only company gathering this kind of data and putting
together this type of database. Also, this database isn’t the first –
and clearly will not be the last – exposed on the Internet via Shodan
that causes problems for its owner. However this is the first database
of this type, with aggregated details on suspected terrorists or people
being tracked because of their various suspect affiliations. </span></p>
<p><span style="font-weight:400">Should we be concerned when data like
this is floating around unsecured, indexed and open on the Internet? As
individuals with an interest in protecting our privacy and identity,
the natural focus is on how the organizations we choose to share our
information with go about using and protecting the data we provide. But
in the case of World-Check, this data was not given to them by the
individuals in the database. Rather the company was tracking individuals
via public sources and in some cases apparently making assumptions to
include the person based on published information. As Chris rightly
points out in his deliberations around sharing the data, “innocent
people that have been put on this list deserve to know that they are on
it.” In fact, many of the individuals on the list were marked as
“Deceased”, perhaps one could conclude making it even more high risk if
you wrongly ended up on this list. Taking it even further, this
information could be construed as a pure “blacklist” of specific people
and potentially could be quite dangerous if in the hands of certain
governments, private companies or criminals. Certainly this is one
reason why reportedly “</span><a href="http://www.theregister.co.uk/2016/06/29/global_terror_database_worldcheck_leaked_online/" target="_blank"><span style="font-weight:400">access to its contents is granted via a strict vetting process and the signing of NDA’s</span></a><span style="font-weight:400">.” Chris himself appears to have some concerns over this particular issue, as he has published was he called the “</span><a href="https://www.reddit.com/r/torrentlinks/comments/4qf8rn/vickery_insurance_file_torrent/"><span style="font-weight:400">Vickery Insurance File torrent</span></a><span style="font-weight:400">”.</span></p>
<p><span style="font-weight:400">Regardless whether this type of
aggregated data is a concern or not since it is based on already public
data, it is yet another great cautionary tale of when information
security practices goes wrong. Asset Management and comprehensive data
inventory is critical to an information security program and cannot be
ignored, just because it is deemed as “hard” to do. Just </span><a href="http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0" target="_blank"><span style="font-weight:400">ask JP Morgan</span></a><span style="font-weight:400"> about the impact of neglected servers or </span><a href="https://www.riskbasedsecurity.com/2016/05/australia-cabcharge-data-exposed-still-waiting-for-a-response-much-like-their-customers/" target="_blank"><span style="font-weight:400">Cabcharge about their data being exposed</span></a><span style="font-weight:400">.</span></p>
<p><span style="font-weight:400">As for Thomson Reuters, in the future </span><a href="https://www.reddit.com/r/privacy/comments/4qlpab/update_on_worldcheck_database_leak/" target="_blank"><span style="font-weight:400">they might want to better consider the vendors</span></a><span style="font-weight:400"> that they work with as it appears an outsourced firm know as </span><a href="http://www.smartkyc.com/"><span style="font-weight:400">SmartKYC</span></a><span style="font-weight:400"> is responsible for the leaky database as it was confirmed that they worked with them to secure the data.</span></p></div></div></div></div></div></div></div></div>
</div>