A recent leak on the internet exposed 2.2 million names of people highly suspected of being involved in or are capable of illegal acts.
This was discovered by none other than Chris Vickery, who is a security researcher at MacKeeper, a company that later hired him after Vickery gained access to its confidential files. He is also widely known for his expertise in gaining unauthorized access to other databases, with his past endeavors including a Hello Kitty database containing credentials of 3 million people who were mostly kids, and a voter database of 191 million U.S. citizens.
The security researcher explains that no hacking was involved since the database was available for public access. This recent "hack" let him retrieve a 2014 copy of a so-called world-check global database from Thomson Reuters. Vickery took to Reddit to post about his recent discovery and asked co-redditors if it did indeed require the public's attention.
The security researcher adds that he did not gain the list from the company directly, but from third-party sources instead. He blames a "misconfigured database" allegedly handled by SmartKYC, one of Thomson Reuters' outsourced security platforms.
"It was a CouchDB instance that anyone in the world could access as it was configured for public access. Anyone with the URL could access and review all the records," Vickery explains.
Thomson Reuters is in charge of various expertise, "from increasing risk and regulatory complexity to transformative technology and business models," where it offers risk management solutions. One of the projects under this division is to maintain a world-check database that offers banks, governments, law firms and other legal and business entities an insight into the world's suspected high-risk individuals.
"[The company] monitors over 530 sanction, watch and regulatory law and enforcement lists, and hundreds of thousands of information sources, often identifying heightened-risk entities months or years before they are listed," the company describes.
If the leaked information had gained a popular public access, reports conclude that this could entail possible problems in the future for the listed innocent individuals on the database. Companies could use the information against these people and possibly get them blacklisted from doing something as simple as opening a bank account to something more troublesome like getting hired for a job.
Fortunately, Vickery is one of the good guys — he informed the company about the security flaw. Thomson Reuters has since then reconfigured the settings of the CouchDB database and confirmed Vickery's speculations about who were involved in the matter and how it was done.
"We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident," the company assures the public.
Photo: Jeffrey Beall | Flickr