Watchlist maintained by Dow Jones exposed; over 2.4 million records compromised
- It involved information pertaining to Dow Jones’ risk and compliance products.
- Various public sources such as news articles and government releases were aggregated to compile information on specific people or financial entities.
A security researcher has discovered a major security issue associated with the Dow Jones Watchlist. It appears that the Watchlist’s database was accessible to anyone in the public.
Bob Diachenko, the researcher who found out this loophole, said that more than 2.4 million records in the database were out in the open as a result. All these records were existing on an Elasticsearch product used by Dow Jones.
Sophie Bent, spokesperson for Dow Jones stated that the database was part of their risk and compliance feed product derived from publicly available sources.
The big picture
- The Elasticsearch cluster was 4.4 GB in size with the number of records totaling to 2,418,862.
- It contained details on Politically Exposed Persons, their relatives, close associates and the companies they were connected to.
- Other information included persons with a criminal history, national and international government sanction lists and categories, and Dow Jones’ profile notes.
- All these details were used to analyze financial risks and identify illegal activities associated with the persons/entities.
- According to Diachenko, the information is ‘indexed, tagged and searchable’.
Why it matters - Sensitive data such as persons with criminal histories or affiliations with terrorist organizations can become dangerous if it falls in the wrong hands, and can even lead to security incidents.
When Diachenko contacted Dow Jones regarding this breach, the database was disabled immediately and the company issued a statement. “This data is entirely derived from publicly available sources. At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available,” the statement read.