Dow Jones’ database of risky individuals has been left exposed on a non-password protected server, a security researcher has revealed.
The watchlist, which is used by banks to assess whether they should lend money to people, includes more than 2.4 million records.
It was discovered by Bob Diachenko in an Elasticsearch database hosted by Amazon Web Services, and was accessible to anyone who “knew where to look”, the researcher revealed in a blogpost.
Sign up to Emerging Threats, our weekly cyber security newsletter
The data, which has now been protected, was uploaded to the server by a third party company and contained the records of politicians, their families, organisations on sanctions lists, and people linked to or convicted of crime.
“What makes this data so much more valuable is the focus on premium and reputable sources,” Diachenko wrote. “In the age of fake news and social engineering online it is easy to see how valuable this type of information would be to companies, governments, or individuals.”
Commenting on the news, Dean Ferrando, a systems engineer at Tripwire, said: “Although the database was compiled using publicly available information, the data leak highlights the importance of maintaining organisations’ security standpoint by continuous monitoring.
“Cybersecurity is very much a matter of prevention, rather than reactive remediation: it is more cost effective to ensure that networks, servers and infrastructures are secure from a foundational level than dealing with the costs of an exposure.”
Javvad Malik, a security advocate at AT&T Cybersecurity, added: “While cloud providers offer a wide range of security features, the implementation and verification of the right security controls comes down to the company using the services.
“It is therefore important to have the right security skills in place so that cloud solutions are well architected with security in mind, and having the right technical and procedural controls in place to provide assurance that the relevant controls are in place, and that any threats can be quickly detected and responded to.”
In a statement shared with Diachenko, Dow Jones said: “This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.”