Thomson Reuters are reportedly working to recover more than 2.2 million records from their ‘World-Check’ database of “heightened risk individuals and groups” used by government, banks, law enforcement, and intelligence agencies around the world.Chris Vickery, a security researcher, posted on Reddit that he has obtained a copy of World-Check database from mid-2014.
The post said, ‘the database contains millions of “heightened-risk individuals and organizations” The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.’Forming part of the company’s “risk management solutions,” Thomson Reuters website explains, ‘We cover more than 240 countries and territories, and monitor over 530 sanction, watch and regulatory law and enforcement lists, and hundreds of thousands of information sources, often identifying heightened-risk entities months or years before they are listed.’
‘Thomson Reuters is working feverishly to get it secured,’ Chris told the Register, explaining that he had alerted the company about the leak, but was still considering whether to publish the content contained in it.In a statement to TechCrunch, Thomson Reuters confirmed the leak, explaining that it was a “third-party” act.The company said, ‘Thomson Reuters was yesterday alerted to out-of-date information from the World-Check database that had been exposed by a third party.’
‘We are grateful to Chris Vickery for bringing this to our attention, and immediately took steps to contact the third party responsible. As a result, we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident,’ the company added.Chris revealed that the leak was due to a Couch DB (an open source non-relational database software) instance that was mistakenly configured for public access.
According to Chris, SmartKYC is responsible for the Couch DB instance.‘Thomson Reuters did confirm to me early this morning that they have been working with SmartKYC to secure the data and it is believed to now be offline,’ said Chris.