Cyber Incident Victim: World-Check
Date:
Jan 2014
Location:
United States of America
Summary
A Thomson Reuters-managed database containing over 2.2 million risk profiles of individuals and entities linked to alleged criminal activities was exposed online due to third-party security failures, discovered by a researcher using open-source tools. The compromised system, utilized by major financial institutions, government agencies, and law firms for regulatory compliance, generated profiles from public domain sources including unverified media reports, leading to documented cases of misidentification where innocent parties were falsely labeled as terrorists or criminals. This resulted in reputational damage and tangible harms such as financial service denials, while raising concerns about the vetting processes for data inclusion and the broader implications of unregulated risk profiling systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2016, security researcher Chris Vickery identified a publicly exposed database containing over 2.2 million records from Thomson Reuters' World-Check system, a global risk profiling tool used by financial institutions, government agencies, and corporations. The compromised data represented a mid-2014 version of the database that stored sensitive profiles of individuals and organizations allegedly linked to terrorism, organized crime, corruption, and financial offenses. Vickery discovered the unprotected information through routine searches using the Shodan search engine, which identifies internet-connected devices with inadequate security controls. He promptly notified Thomson Reuters about the exposure while noting the data remained publicly accessible at the time of his disclosure. Thomson Reuters confirmed receiving the alert and stated it was "working feverishly" to secure the information while contacting the third party responsible for the exposure. The company emphasized World-Check aggregated publicly available data, including official sanctions lists, to assist clients with regulatory compliance. Vickery clarified no hacking occurred during his discovery, characterizing the incident as a leak originating from a third-party source rather than directly from Thomson Reuters' systems.
The exposure revealed World-Check's extensive influence, with 49 of the world's 50 largest banks, over 300 government and intelligence agencies, and nine top-tier law firms relying on its profiles for customer risk assessments. The database compiled allegations of criminal activities—including bribery, cybercrime, human trafficking, and racketeering—from media reports and other public sources, adding approximately 25,000 new profiles monthly while updating 40,000 existing records. Previous investigations by Vice News and the BBC had documented systemic issues with false positives, where the database erroneously labeled innocent individuals and organizations as terrorism risks. Documented cases included an American Muslim civil-rights leader commended by President George W. Bush, a British anti-extremism activist, a Queen Elizabeth II-honored economist, charities, religious institutions, and a UK mosque whose HSBC accounts were closed based on World-Check terrorism designations. British Parliament member Diane Abbott criticized the platform's compilation methodology, noting designations sometimes derived from unverified online allegations without rigorous review processes, creating potential for discrimination and significant personal consequences. The incident underscored operational risks associated with unsecured third-party data repositories containing sensitive profiling information used for critical financial and security decisions.