A Dow Jones database detailing more than 2.4 million records of risky businesses and people has been exposed. A third-party company reportedly left the watchlist on a public server without password protection.
Security researcher Bob Diachenko found the database, which companies use to determine how risky a potential client or partner may be. For instance, government agencies and banks use it to determine whether to provide financing.
Diachenko wrote that the entries were "indexed, tagged and searchable." According to TechCrunch, the list includes current and past elected officials, sanctioned people and companies, individuals with terrorism links, "special interest persons" and people convicted of financial crimes.
The entries are said to include names, addresses, locations, dates of birth, physical descriptions, primary languages, relatives, genders and photos, along with detailed notes on each person or company. All the data is collected from public sources, though it's not difficult to imagine the type of chaos a bad actor can cause if all that information was easily accessible in a single, searchable package. It's not clear whether any unauthorized person other than Diachenko found the database.
"At this time our review suggests this resulted from an authorized third party's misconfiguration of an AWS server, and the data is no longer available," a Dow Jones spokesperson told Diachenko. It remains to be seen how regulators in the US and elsewhere (such as the EU, under its General Data Protection Regulation directive) will address the leak. The company has faced other privacy issues in the past, including in 2015, when hackers reportedly stole trading information and Wall Street Journal subscriber details.