The Dow Jones Watchlist, a dataset of 4.4 Gigabytes, was found exposed in an unprotected Elasticsearch database on an AWS server. The Watchlist is used by many of the world’s largest organizations as part of their due diligence for both large and small contracts and transactions. While it contains the financial status of companies, it also includes sensitive information about individuals.
Researcher and security consultant Bob Diachenko discovered the database on February 22, 2019, and informed Dow Jones on the same day. It was rapidly taken down, and Dow Jones announced, “This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.”
But Diachenko had already seen it. He had potentially downloaded it, and possibly shared at least portions with TechCrunch — who wrote, “Many of those on the list include ‘special interest persons,’ according to the records in the exposed database seen by TechCrunch.”
Diachenko himself announced, “it contained the identities of government officials, politicians and people of political influence in every country of the world. The data is designed to help identify risks when researching an individual and efficient due diligence. Obviously, banks use Watchlist data to identify money laundering and illicit payments through key information about a public figureís identity.”
The database comprised 2,418,862 records, including politically exposed persons, government sanction lists, persons linked to or convicted of high-profile crimes, and notes sourced from federal agencies and LEAs. Each record specified one or more lists to categorize the subject — such as ‘Special Interest Person’. Since the database is international in nature it will undoubtedly include politicians and citizens of the European Union. It remains to be seen whether European data regulators will consider this exposure to be a breach of GDPR (Dow Jones lists offices in London, Paris, Berlin and Barcelona).
Robert Prigge, president at Jumio, thinks the leak should not be considered ‘earth-shattering’. “The lists of politically exposed persons, terrorists and convicted cybercriminals are compiled and curated from a variety of third-party databases,” he said. “These lists are then used by a variety of companies including Dow Jones, Thomson Reuters (now Refinitiv), and ComplyAdvantage, so the actual exposure of 2.4 million records of high-risk individuals and business entities may not be as critical or earth-shattering as other breaches involving less visible end-consumers and where usernames, passwords and other personal information is compromised.”
He added, “That’s not to say that this data won’t creep into the dark web — it probably will — but the impact to the Average Joe will probably be less.”
Carl Wright, CCO at AttackIQ, is more concerned. “There may be people on the list that are innocent,” he says, “and the risky individuals are now aware they are on the list and can change their tactics to avoid detection in the future.”
“Dow Jones’ exposed database,” adds Anurag Kahol, CTO and founder at Bitglass, “contained sensitive details on current and former politicians, alleged and convicted criminals, citizens with possible terrorist links, companies facing sanctions, and organizations convicted of high-profile crimes. Leaving this information unprotected is both careless and irresponsible ñ as is failing to address the issue in detail with the public.”
Databases left unprotected on AWS servers are not uncommon. The problem is that they are not difficult to find — Diachenko suggests, “any public IoT search engine, such as BinaryEdge.” There are also commercial products that will highlight a company’s unprotected cloud instances. The problem in this case appears to have come from an authorized third-party, such as a contractor; so, Dow Jones itself may have been unaware of the existence of this copy of the database.
That would not affect any potential GDPR action. Dow Jones would remain the data controller and would remain responsible for the data.