Dow Jones Partner Leaks Global Watchlist Data

Written by

Dow Jones has landed itself in trouble again after an authorized third party accidentally left a highly sensitive list of criminals, terrorists and dodgy businesses on a publicly accessible cloud server.

The list, which contained over 2.4 million records, was found by researcher Bob Diachenko sitting on a public Elasticsearch cluster.

The 4.4GB trove was a copy of the Dow Jones Watchlist, a risk and compliance instrument kept by many financial organizations and designed to provide details of “politically exposed persons,” criminals and those linked to high-profile crime, and government sanctions lists.

The idea is that banks and other institutions can check such lists as part of their global due diligence efforts, such as money laundering checks.

Although the data is scraped from public sources, the watchlist is deliberately kept a closely guarded secret.

“Publicly revealing the database beyond the aforementioned leak could be reckless: Watchlist database contains sensitive information on citizens regarding their alleged criminal histories and possible terrorist links,” said Diachenko.

“What makes this data so much more valuable is the focus on premium and reputable sources. In the age of fake news and social engineering online it is easy to see how valuable this type of information would be to companies, governments, or individuals.”

Dow Jones swiftly remediated the incident when notified by Diachenko.

“At this time our investigation suggests this resulted from the misconfiguration of an authorized third party's AWS instance. There is no evidence to suggest our own systems have been compromised,” it told Infosecurity in a statement.

However, this isn’t the first time the news and analytics giant has been caught out. In July 2017, it leaked the personal information of over two million subscribers plus data from its Risk & Compliance lists.

The AWS S3 bucket was in this case configured via permission settings to allow any AWS “Authenticated Users” to download the data via the repository’s URL. Registration for such an account is free and at the time over one million users were “authenticated” in this way, according to UpGuard.

What’s hot on Infosecurity Magazine?