A security researcher has discovered a major security issue associated with the Dow Jones Watchlist. It appears that the Watchlist’s database was accessible to anyone in the public.
Bob Diachenko, the researcher who found out this loophole, said that more than 2.4 million records in the database were out in the open as a result. All these records were existing on an Elasticsearch product used by Dow Jones.
Sophie Bent, spokesperson for Dow Jones stated that the database was part of their risk and compliance feed product derived from publicly available sources.
The big picture
Why it matters - Sensitive data such as persons with criminal histories or affiliations with terrorist organizations can become dangerous if it falls in the wrong hands, and can even lead to security incidents.
When Diachenko contacted Dow Jones regarding this breach, the database was disabled immediately and the company issued a statement. “This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available,” the statement read.