World-Check due diligence list leaked online, Thomson-Reuters admits

A list of people suspected of links with crime and terrorism from due diligence company World-Check has been leaked online, reportedly by a former associate.

Thomson Reuters’ ‘risk profiles’ have been wrong before (Gideon Benari via Flickr)
Thomson Reuters’ ‘risk profiles’ have been wrong before (Gideon Benari via Flickr)

A list of suspected criminals has been leaked online. The list was leaked from a Thomson-Reuters due diligence service, World-Check, which profiles individuals and businesses suspected of ties to organised crime and terrorism.

The leaked database contains 2.2 million records from an old list, dating back to mid-2014. The list collects information on individuals and businesses often detailing suspected murky dealings including bribery, cyber-crime and human trafficking.

The service is used by 49 of the world's top 50 financial institutions and nine of the world's top 10 global law firms as well as hundreds of government agencies for the purposes of conducting due diligence background checks on individuals.

World-Check is not without its critics though who claim the service has falsely listed several individuals and organisations as having links to terrorism.

The leak was discovered by serial leak-spotter, Chris Vickery, who told SCMagazineUK.com that the leak came in the form of a CouchDB instance available on the open internet.

He made it clear on a Reddit post disclosing his discovery that “No hacking was involved in my acquisition of this data. I would call it more of a leak than anything” and that all of the data compiled seemed to be publically accessible in the first place.

Considering the sensitivity of the data, Vickery was unsure whether to publicise the fact that the database had been leaked.

The wide publication of such a list could be harmful, Vickery told SC: “I think the worst possible situation that could arise from such a database being made public is that someone who may be innocent, but accused of criminal activity in the database, could be permanently branded on a global scale if this database were to be spread publicly.”

A spokesperson for Thomson Reuters, the parent company of World-Check, told SC that “Thomson Reuters was yesterday alerted to out of date information from the World-Check database that had been exposed by a third party.” 

Thomson Reuters “immediately took steps to contact the third party responsible – as a result we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident.”

That third party, according to Vickery, could be another due diligence company, called SmartKYC, which has worked with Thomson Reuters in the past. Apparently, other databases within the CouchDB instance are replete with references to SmartKYC. Furthermore, added Vickery, “the record-checking process explained on SmartKYC's public website describe the exact the reference databases within the CouchDB.”

SmartKYC did not respond in time for publication.

Luke Brown, vice president and general manager at Digital Guardian, told SC, "Organisations have a duty of care, not to mention legal obligation, to protect data. It doesn't matter if the contents of that data are good, bad or ugly. If you store it, you have to look after it.”

Brown added, “A simple mistake like this can have life-altering effects for those caught in the middle and whilst businesses often recover, it's the victims that continue to pay the price.” 

Sign up to our newsletters