If your name’s on this list, banks will treat you with extreme caution. The database is supposed to be private, but it was found online, accessible to anyone with a web browser, a security researcher said Friday.
Called WorldCompliance Data, it’s LexisNexis’ proprietary database that warns financial institutions when potential customers have been convicted of financial crimes or might be susceptible to bribery.
The database contained more than 4.5 million records, said Bob Diachenko, the researcher who found it. Based on a sample of the data seen by CNET, the database revealed people’s names, ages and country, as well as any criminal convictions or status as a “politically exposed person.” Called PEPs, these are people, often in governments, who might be targets of extortion or bribery attempts. The exposed database has been secured since Diachenko discovered it and alerted LexisNexis and the cloud service provider, Google.
The exposure is part of a larger problem of misconfigured databases, which have leaked everything from the health care records of drug rehabilitation patients to the expected salaries of job seekers. As organizations around the world move their data to cloud servers, not all of them have the expertise to lock the data behind a password. A group of researchers around the world looks for the databases using special search techniques and custom software, trying to help get the data secured when they find it. But hackers can use the same tools, making the exposures risky.
This is the third dataset containing high-risk banking customers that Diachenko has discovered. In February, he said he discovered Dow Jones’ Watchlist, which contains similar records, exposed on the internet. In July, he detailed findings of a dataset that appeared to contain records from a variety of sources, including LexisNexis.
LexisNexis didn’t immediately respond to a request for comment. Diachenko noted that it’s unclear which organization maintained the version of the database that was exposed. For example, a bank or other organization that pays for access to the data may have been the source of the exposure.