X

Dow Jones list of 2.4 million risky banking clients exposed online

Foreign politicians, terrorists and high-profile criminals are on the list.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
data-privacy-security-hackers-hacking-0964

The Dow Jones Watchlist was not meant to be public.

James Martin/CNET

A Dow Jones list of millions of people at risk for bribery and corruption, as well as high-profile criminals and terrorists, sat out in the open on an unsecured online database, a researcher has found.

The Watchlist is a proprietary database that financial institutes use to flag potential customers who may be too risky to bank with. Ukranian researcher Bob Diachenko said in a blog post that the list includes more than 2.4 million records and lists the relatives, businesses and close associates affiliated with high-risk individuals, as well as citations from federal agencies and other law enforcement groups.

The exposed list, earlier reported in TechCrunch, is the latest example of a much larger problem. Databases full of sensitive information are often left unsecured on the internet, and they're easy to find. Anyone can be in one of these lists, like the Hello Kitty fans, including children, whose data was exposed in an unsecured database in 2015.

"We live in the age of big data where we are probably going to be on a list someday," Diachenko said in his blog post, "but let's hope that list is not leaked online or publicly available."

Dow Jones said in a statement that the database is now secured.

"This dataset is part of our risk and compliance feed product, which is entirely derived from publicly available sources," the company said in its statement. "At this time our review suggests this resulted from an authorized third party's misconfiguration of an AWS server, and the data is no longer available."