A security researcher managed to get hold of Thomson Reuters’ World-Check database, which flags terrorism and organised crime suspects.
A researcher has obtained a copy of Thomson Reuters' "World-Check" confidential intelligence database, which is used by governments, intelligence agencies, banks, law firms and more to scope out risks including suspected terrorists. It was likely left exposed on the open internet by a third party.
Described by Thomson Reuters as a "global screening solution," the World-Check service, which relies on information from all over the world, is designed to give deep insight into financial crime and the people potentially behind it.
"We monitor over 530 sanction, watch and regulatory law and enforcement lists, and hundreds of thousands of information sources, often identifying heightened-risk entities months or years before they are listed. In fact, in 2012 alone we identified more than 180 entities before they appeared on the US Treasury Office of Foreign Assets Control (OFAC) list based on reputable sources identifying relevant risks," the Thomson Reuters website reads.
It includes the categories "political individual," "corporate," "military," "crime—narcotics," and "terrorism"
Although World-Check is based on public information, European privacy laws impose strong restrictions on the collection, storage, and publication of information about individuals. For that reason, the database can only be used for screening purposes by customers vetted by Thomson Reuters.
On Tuesday, however, security researcher Chris Vickery wrote on Reddit that he had obtained a mid-2014 copy of the database. Although he doesn't say exactly how he came across the data, Vickery has previously found dozens of open databases which can be accessed with no authentication, including customer details, voting records, and more.
"No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time," Vickery wrote.
Motherboard has reviewed a copy of the exposed World-Check database. It contains over 2,240,000 entries, and includes the categories "political individual," "corporate," "military," "crime—narcotics," and "terrorism."
However, World-Check can sometimes flag those not involved in crime. As VICE News previously found, the database has listed major charities, activists, and mainstream religious institutions under the label of "terrorism." Those include the Council on American-Islamic Relations' (CAIR) executive director Nihad Awad; Liberal Democrat politician Maajid Nawaz, who founded the counter-extremism organisation Quilliam, and former World Bank and Bank of England advisor Mohamed Iqbal Asaria. None of these people have ever faced terrorism charges, VICE News adds.
"Thomson Reuters was yesterday alerted to the fact that out of date information from the World-Check database had been exposed by a third party. We are grateful to Chris Vickery for bringing this to our attention, and have acted with the utmost urgency to contact the third party concerned—with whom we are now in contact in order to secure the information," David Crundwell, a spokesperson for Thomson Reuters told Motherboard in a statement.
"World-Check aggregates financial crime data from the public domain, including official sanctions data, to help clients meet their regulatory responsibilities," he continued.
A World-Check fact sheet says the service is used by over 300 government and intelligence agencies, nine of the top ten global law firms, and 49 of the world's top 50 banks. Overall, the service allegedly has over 6,000 customers in 170 countries.
Update June 29, 14:50: After the publication of this article, a spokesperson from Thomson Reuters wrote in an email that the company had contacted the third party responsible for the leak and that they had taken down the information. "We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident," the spokesperson added.