Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Secret Terrorist Watchlist With 2 Million Records Exposed Online

Secret Terrorist Watchlist With 2 Million Records Exposed Online

A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet.

The list was left accessible on an Elasticsearch cluster that had no password on it.

Millions of people on no-fly and terror watchlists exposed

In July this year, Security Discovery researcher Bob Diachenko came across a plethora of JSON records in an exposed Elasticsearch cluster that piqued his interest.

The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status.

The exposed server was indexed by search engines Censys and ZoomEye, indicating Diachenko may not have been the only person to come across the list:

exposed watchlist records
An excerpt from exposed watchlist records (Bob Diachenko)

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!

The researcher told BleepingComputer that given the nature of the exposed fields (e.g. passport details and “no_fly_indicator”) it appeared to be a no-fly or a similar terrorist watchlist.

Additionally, the researcher noticed some elusive fields such as “tag,” “nomination type,” and “selectee indicator,” that weren’t immediately understood by him.

“That was the only valid guess given the nature of data plus there was a specific field named ‘TSC_ID’,” Diachenko told BleepingComputer, which hinted to him the source of the recordset could be the Terrorist Screening Center (TSC).

FBI’s TSC is used by multiple federal agencies to manage and share consolidated information for counterterrorism purposes.

The agency maintains the classified watchlist called the Terrorist Screening Database, sometimes also referred to as the “no-fly list.”

Such databases are regarded as highly sensitive in nature, considering the vital role they play in aiding national security and law enforcement tasks.

Terrorists or reasonable suspects who pose a national security risk are “nominated” for placement on the secret watchlist at the government’s discretion.

The list is referenced by airlines and multiple agencies such as the Department of State, Department of Defense, Transportation Security Authority (TSA), and Customs and Border Protection (CBP) to check if a passenger is allowed to fly, inadmissible to the U.S. or assess their risk for various other activities.

Server taken offline 3 weeks after DHS notified

The researcher discovered the exposed database on July 19th, interestingly, on a server with a Bahrain IP address, not a US one.

However, the same day, he rushed to report the data leak to the U.S. Department of Homeland Security (DHS).

“I discovered the exposed data on the same day and reported it to the DHS.”

“The exposed server was taken down about three weeks later, on August 9, 2021.”

“It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it,” writes Diachenko in his report.

The researcher considers this data leak to be serious, considering watchlists can list people who are suspected of an illicit activity but not necessarily charged with any crime.

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.”

“It could cause any number of personal and professional problems for innocent people whose names are included in the list,” says the researcher.

Also Read: Got A Notice of Data Breach? Don’t Panic!

Cases, where people landed on the no-fly list for refusing to become an informant, aren’t unheard of.

Diachenko believes this leak could therefore have negative repercussions for such people and suspects.

“The TSC watchlist is highly controversial. The ACLU, for example, has for many years fought against the use of a secret government no-fly list without due process,” continued the researcher.

Note, it is not confirmed if the server leaking the list belonged to a U.S. government agency or a third-party entity.

BleepingComputer has reached out to the FBI and we are awaiting their response.

Update 11:02 PM ET: The FBI had no comment on the matter.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us