A database containing the names of people suspected to be involved in terrorism and organized crime has been obtained by a white hat hacker who is pondering whether to make the data public. The records belong to World-Check Risk Screening, a division of Thomson Reuters.
World-Check helps clients screen for heightened-risk individuals and entities globally to help uncover hidden risks in business relationships and human networks, according to the company. That includes details about people and organizations suspected to be involved in money laundering, organized crime and terrorism.
Thomson Reuters confirmed this week that an out-of-date version of the database was exposed by an unnamed third party. The leak was discovered by a security researcher named Chris Vickery, who notified The Register. Thomas Reuters has since removed the material, according to reports.
That news outlet reported that the database contained more than 2 million records and was about two years old. Vickery told the Reddit discussion board that the database wasn’t protected, and that he gained access to it without a username or password.
From Many Sources
The database was unprotected and was not hosted directly by the company, according to Thomson Reuters. The company said that the World-Check subsidiary aggregates financial crime data from the public domain, including official sanctions data, to help clients meet their regulatory responsibilities.
Other sources of information used to collate the database include local law enforcement records, social media posts, political Web sites and articles published in media outlets and on personal blogs.
"We are grateful to Chris Vickery for bringing this to our attention, and immediately took steps to contact the third party responsible -- as a result we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident," David Crundwell, a Thomas Reuters spokesman, said in an email to media outlets.
Individuals' dates and places of birth were also included in the database. Before it was taken down, users in the United States could buy access to the database from Thomson Reuters, although access to the database is restricted in European countries.
Some privacy advocates have said that the Thomson Reuters database wrongly designate citizens and organizations as terrorists or criminals. Banks and other institutions have used the data to ensure that they are not help helping terrorists.
Inaccurate terror designations based on the data were first revealed by the BBC when it gained temporary access to the database a year ago after being prompted by a disgruntled World-Check Risk Screening customer. The BBC report revealed that the bank accounts of numerous British citizens were closed in 2014 -- with no possibility of appeal -- because of what those people said were inaccurate records in World-Check.
Thomson Reuters said it will provide citizens and organizations information about data that might be about them, but only by request. In the past, Vickery has exposed database leaks related to Mexican voters, a Hello Kitty online fan community and medical records.