A terrorist watch list compiled by the U.S. government with 1.9 million records has been found exposed online in the latest case of unsecured cloud storage.

Detailed today by security researcher Bob Diachenko, the watch list was discovered on an exposed Elasticsearch cluster on July 19. The list came from the Terrorist Screening Center, a multi-agency group administered by the Federal Bureau of Investigation. The TSC maintains the country’s no-fly list, which is said to be a subset of the larger watchlist.

The watchlist typically includes full name, citizenship, gender, date of birth, passport number and no-fly indicator. Other datasets included fields such as tag, nomination type and selected indicator.

Diachenko immediately informed the Department of Homeland Security of his discovery and the database was taken down three weeks later on Aug. 9. It’s unknown why it took so long to be taken down or whether unauthorized parties had accessed it.

The TSC no-fly list has been controversial in the past because it included people who have not been charged with crimes. The list was found to violate constitutional protections in 2014 and, more recently, alleged domestic terrorists have been added to it.

Although all the data is not completely secret because people in the U.S. have to be informed when they are added to it, the exposure still has risks. Diachenko noted that in the wrong hands, the list could be used to harass or persecute people on the list or their families, particularly when innocent people are wrongly included on the list.

“Exposure of records through misconfiguration is a major issue whether we are talking about public cloud misconfigurations or of any service exposed to the internet,” Saumitra Das, chief technology officer and co-founder at cloud-native AI security firm Blue Hexagon Inc., told SiliconANGLE. “Organizations needs to continuously monitor all resources deployed in their enterprise to minimize risks of such exposure.”

“Elasticsearch clusters, S3 buckets, databases have all been left open by organizations as well as their third-party suppliers and vendors that have resulted in a data breach,” Das added. “Such records can be sold on the dark web or used for further attacks, specially if credentials are involved.”

Photo: Frankieleon