A secret watchlist of suspected terrorists managed by the US Federal Bureau of Investigation was exposed online for three weeks, between July 19 and August 9, according to the security researcher Volodymyr "Bob" Diachenko.
The leaked watchlist maintained by the Terrorist Screening Center, a multi-agency group administered by the FBI, contained 1.9 million records, which included such information as full name, TSC watchlist ID, citizenship, gender, date of birth, passport number, country of issuance, and no-fly indicator. The list was left online without any password or some sort of other protection.
The TSC is a classified database of suspected terrorists, including a smaller “no-fly” list. The information is shared with the Departments of State and Defense, the US Customs and Border Protection, Transportation Security Administration, as well as international partners.
The unprotected database was discovered on July 19 when it was indexed by search engines Censys and ZoomEye.
Diachenko said he promptly reported the leak to the Department of Homeland Security, however, the exposed server was taken down only three weeks later, on August 9. It’s unclear, why it took the department so long to secure the server, it also unknown whether the list was accessed by third parties during the time it was exposed online.