A watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password.
Bob Diachenko, an independent security researcher, found the Amazon-hosted Elasticsearch database exposing more than 2.4 million records of individuals or business entities.
The data, since secured, is the financial giant’s Watchlist database, which companies use as part of their risk and compliance efforts. Other financial companies, like Thomson Reuters, have their own databases of high-risk clients, politically exposed persons and terrorists — but have also been exposed over the years through separate security lapses.
A 2010-dated brochure billed the Dow Jones Watchlist as allowing customers to “easily and accurately identify high-risk clients with detailed, up-to-date profiles” on any individual or company in the database. At the time, the database had 650,000 entries, the brochure said.
That includes current and former politicians, individuals or companies under sanctions or convicted of high-profile financial crimes such as fraud, or anyone with links to terrorism. Many of those on the list include “special interest persons,” according to the records in the exposed database seen by TechCrunch.
Diachenko, who wrote up his findings, said the database was “indexed, tagged and searchable.”
Many financial institutions and government agencies use the database to approve or deny financing, or even in the shuttering of bank accounts, the BBC previously reported. Others have reported that it can take little or weak evidence to land someone on the watchlists.
The data is all collected from public sources, such as news articles and government filings. Many of the individual records were sourced from Dow Jones’ Factiva news archive, which ingests data from many news sources — including the Dow Jones-owned The Wall Street Journal.
But the very existence of a name, or the reason why a name exists in the database, is proprietary and closely guarded.
The records we saw vary wildly, but can include names, addresses, cities and their location, whether they are deceased or not and, in some cases, photographs. Diachenko also found dates of birth and genders. Each profile had extensive notes collected from Factiva and other sources.
One name found at random was Badruddin Haqqani, a commander in the Haqqani guerilla insurgent network in Afghanistan affiliated with the Taliban. In 2012, the U.S. Treasury imposed sanctions on Haqqani and others for their involvement in financing terrorism. He was killed in a U.S. drone strike in Pakistan in August 2012.
The database record on Haqqani, who was categorized under “sanctions list” and terror,” included (and condensed for clarity):
DOW JONES NOTES:
Killed in Pakistan's North Waziristan tribal area on 21-Aug-2012.
OFFICE OF FOREIGN ASSETS CONTROL (OFAC) NOTES:
Eye Color Brown; Hair Color Brown; Individual's Primary Language Pashto; Operational Commander of the Haqqani Network
Additional information from the narrative summary of reasons for listing provided by the Sanctions Committee:
Badruddin Haqqani is the operational commander for the Haqqani Network, a Taliban-affiliated group of militants that operates from North Waziristan Agency in the Federally Administered Tribal Areas of Pakistan. The Haqqani Network has been at the forefront of insurgent activity in Afghanistan, responsible for many high-profile attacks. The Haqqani Network's leadership consists of the three eldest sons of its founder Jalaluddin Haqqani, who joined Mullah Mohammed Omar's Taliban regime in the mid-1990s. Badruddin is the son of Jalaluddin and brother to Nasiruddin Haqqani and Sirajuddin Haqqani, as well as nephew of Khalil Ahmed Haqqani.
Badruddin helps lead Taliban associated insurgents and foreign fighters in attacks against targets in south- eastern Afghanistan. Badruddin sits on the Miram Shah shura of the Taliban, which has authority over Haqqani Network activities.
Badruddin is also believed to be in charge of kidnappings for the Haqqani Network. He has been responsible for the kidnapping of numerous Afghans and foreign nationals in the Afghanistan-Pakistan border region.
Other information: Operational commander of the Haqqani Network and member of the Taliban shura in Miram Shah. Has helped lead attacks against targets in southeastern Afghanistan. Son of Jalaluddin Haqqani (TI.H.40.01.). Brother of Sirajuddin Jallaloudine Haqqani (TI.H.144.07.) and Nasiruddin Haqqani (TI.H.146.10.). Nephew of Khalil Ahmed Haqqani (TI.H.150.11.). Reportedly deceased in late August 2012.
FEDERAL FINANCIAL MONITORING SERVICES NOTES:
Entities and individuals against whom there is evidence of involvement in terrorism.
A Dow Jones spokesperson said in an email: ““This dataset is part of our risk and compliance feed product, which is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.””
We asked Dow Jones specific questions, such as who the source of the data leak was and if the exposure would be reported to U.S. regulators and European data protection authorities, but the company would not comment on the record.
Two years ago, Dow Jones admitted a similar cloud storage misconfiguration exposed the names and contact information of 2.2 million customers, including subscribers of The Wall Street Journal. The company described the event as an “error.”