Security researcher Chris Vickery, who has become well-known for unearthing databases that should not be accessible via the Internet but are, has found another one that contains old data from Thomson Reuters’ World-Check database of politically exposed persons and heightened risk individuals and organizations.
World-Check is used by 49 of the 50 biggest banks, 9 of the top 10 global law firms, and over 300 government and intelligence agencies around the world. It lists over 2.7 million people who have been flagged for potential involvement or link to terrorism, money laundering, bribery, organized crime, etc.
“25% of World-Check data is derived from information on sanctions, watch or regulatory and law enforcement lists. The remaining 75% consists of PEP [politically exposed persons] information as well as individuals and entities not found on official lists, but who instead are reported to be connected to sanctioned parties, or reported to have been investigated for, or convicted of engaging in, financial crime related activities,” Thomson Reuters explains.
“The current-day version of the database contains, among other categories, a blacklist of 93,000 individuals suspected of having ties to terrorism,” notes Vickery.
He says that the database he found was not the one operated by Reuters, which is accessible to vetted users for a fee. Also, this database contains a copy of the World-Check database from mid-2014.
He took to Reddit’s Privacy subreddit to ask users what should he do with the data.
“When private data is involved, I always do my best to get the database secured before disclosing news of the exposure. However, this brand new find is a different kind of animal. It appears to all be sourced from publicly available material,” he explained his thought process.
He also pointed out a few arguments for and against making the data public, but hasn’t released it so far.
Instead, he contacted Thomson Reuters with the information about the location of the database.
“We are grateful to Chris Vickery for bringing this to our attention, and have acted with the upmost urgency to contact the third party concerned – with whom we are now in contact in order to secure the information,” a company spokesperson has stated.
Earlier this year Vice accessed the original database, and revealed some of the people and organizations that are listed in it under its “terrorism” category, a move that made some of them react with “anger and shock” and dispute the categorization.
Critics of the practice of compiling such lists say that it’s more than likely that mistakes are and will be made when adding individuals and organizations to them, and this could seriously impact those people’s lives and livelihood, and those organizations’ functioning.
Thomson Reuters is not the only firm that compiles such a database. According to a report commissioned by the Canadian government, Dow Jones, Oracle Mantas, Verafin, Lexis Nexis, and others also keep and fill out databases for identifying possible money launderers and terrorists.