A security discovery researcher named Bob Diachenko discovered a trove of personal digital records online in an unprotected Elasticsearch cluster. Worryingly, to view these data required no password or identity authentication in order to access.
While the source of the data has yet to be revealed, Diachenko has evaluated the list and it appears to have originated from an FBI-DHS terrorist watchlist, of a type used by several federal agencies. The list appears to come from the U.S. Terrorist Screening Center, a multi-agency group. The list was created by the Bush administration after the September 11 attacks of 2001.
A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, plus a person’s no-fly indicator. By ‘No Fly Watchlist’ this refers to a list of people who are prohibited from boarding commercial aircraft for travel within, into, or out of the U.S.
With the recent ‘No-Fly’ Watchlist Data Leak, which leaked nearly 2 million records of personally identifiable information, Pravin Rasiah, VP of Product, CloudSphere, considers the ramifications for Digital Journal.
According to Rasiah perhaps the most concerning aspect of the incident is the availability of the data in the first place. Here he notes: “All sensitive data must be properly secured, and having complete visibility into what data your agency has, and where it is stored, is a critical piece of the puzzle.”
With the specific case he ruminates: “The fact that these records were left exposed without even basic password protection or identity authentication requirements for access is a big miss.”
While the inquiry is continuing, Rasiah conjunctures: “There could be a number of causes why this data was overlooked, including being mishandled in a larger migration initiative, or the simple changing of cloud permission settings.”
As to how the event may have happened, Rasiah goes on: “Whether moving volumes of data from on-premises to the cloud for the first time, or changing permissions, many organizations have fallen victim to breaches because they do not have sufficient visibility into their environments, and thus fail to properly tag, store and secure data.”
In terms of the long-term fix, Rasiah recommends that companies seriously consider: “Advanced governance solutions can plug this gap to ensure data remains secure, no matter where it is stored.”