Global ‘terror’ database leak reveals 2.2mn people tracked by spy agencies

© Kim Hong-Ji
Thomson Reuters are reportedly “working feverishly” to recover more than 2.2 million records which form their ‘World Check’ database of “heightened risk individuals and entities” used by governments, banks, and law firms around the world.

Reddit user Chris Vickery says he obtained a copy of the database, although he won’t reveal how until “a later time.”

The security researcher says the database is from mid-2014 and contains millions of “heightened-risk individuals and organizations,” which it places in one or more of a number of categories, including terrorism, money laundering, organized crime, bribery, corruption, and “other unsavory activities.”

Forming part of the company’s “risk management solutions,” Thomson Reuters says it’s used by more than 300 government and intelligence agencies around the world, as well as 49 of the world’s top 50 banks and nine of the top 10 global law firms.

To access the database, customers must pay an annual subscription charge, which can reach up to $1 million, according to Vice, with potential subscribers then vetted before approval.

Vickery says he understands that the “original location of the leak is still exposed to the public internet.”

"Thomson Reuters is working feverishly to get it secured,” he told The Register, explaining he had alerted the company to the leak, but was still considering whether to publish the information contained in it.

Described on its website as a tool to “screen for heightened risk individuals and entities globally to help uncover hidden risks in business relationships and human networks,” the company says it covers more than 240 countries and territories, and monitors more than 530 “sanction, watch, regulatory and law enforcement lists.”

The database has been repeatedly criticized by opponents who say it’s unfair for people to be classified on the list without their knowledge while there is also the risk that some are classified incorrectly.

A number of British citizens had their bank accounts closed in 2014 after HSBC declared them to be too risky to deal with. They had appeared on the ‘World Check’ database, which the BBC found was sourcing some information from Wikipedia, blogs, and biased news reports.

Similarly, Vice found that an American civil rights leader, a former World Bank and Bank of England advisor who was given an OBE, and a prominent British anti-extremism campaigner - all three of whom were Muslim - were all given a ‘terrorism’ designation in the database.

The discovery of such leaks isn’t new for Vickery who in the last the seven months alone has uncovered three major security breaches in databases.

He found a publicly-available online database containing the personal information of 191 million voters in December, and found the personal data of up to 3.3 million users of several Hello Kitty websites in a separate discovery.

Vickery also unearthed the personal details of 4,926 users of Hzone dating app, which is aimed at people who are HIV-positive, including their date of birth, email address, ethnicity, last login, IP address, number of children, and password encryption keys.

READ MORE: HIV+ dating app leaks users’ private information, threatens discoverer with infection