back to article Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals

The World-Check database used by businesses to verify the trustworthiness of users has fallen into the hands of cybercriminals. The Register was contacted by a member of the GhostR group on Thursday, claiming responsibility for the theft. The authenticity of the claims was later verified by a spokesperson for the London Stock …

  1. Pascal Monett Silver badge
    Mushroom

    "work is underway to further protect data"

    Then, when the next breach occurs, further work will "be underway".

    Sometimes it would be so nice to be able to just stand those idiots in a line and slap all of them in one fell swoop.

    I don't care that security is hard. You know that the database is critical. Get yourselves an $800 million dollar budget and secure the damn thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: "work is underway to further protect data"

      From my limited knowledge of this topic, there isn't really 'a database' to secure: this is not a central database that organisations consult to see if a potential customer is on a list, because no organisation wants to let someone else know who is coming through their doors.

      Instead, subscribers regularly get a copy so they can use it to populate their own internal database that they consult. Because the schema is rather basic, I believe it is not much more complicated than a gigantic CSV, XML or JSON file, to make it easy for organisations to ingest no matter what technology they use.

      So, not one copy to protect, lots. And no-one knows where all of them are.

      1. Eclectic Man Silver badge

        Re: "work is underway to further protect data"

        I reckon we need to hear from the Information Commissioner's Office about this. These are personal details of identifiable living individuals and so covered by the GDPR in both the UK and the EU. Organisations holding such data must keep it securely. but because these people are known or strongly suspected of being very very naughty does not mean their data can be treated less carefully, In any case, an internationally active criminal would be very interested to know what information is held about them, particularly whether their current alias is known.

        1. Anonymous Coward
          Anonymous Coward

          Re: "work is underway to further protect data"...

          Are you kidding, the OAIC? They know we don't deserve to see behind the curtains.

          Records from these datasets are only leaked occasionally, and carefully, quite selectively, when they need to target someone, or some group. Need to see how much makes it out publicly. As KYC datasets are so detailed, with financial and private contact of maximum importance to everyone in them, the ones they miss out are significant. Should the group be paid for by an Actor of significance, they'll scrape anyone they care about from the list, before they publish any records from it. This will be checked by eeryone 'in the tent', so they can gain clues about those behind it.

          Should data privacy ever become part of the public narrative during a leak (rarely), they wheel out the 'We need to centralise all records to absolutely secure (eminently, who dare question this anyway)' government dept' datastores', where the only one to blame for any wrongdoing are Bots and IT bods.

          1. Anonymous Coward
            Anonymous Coward

            Who owns the data once the individual 'hands it over' quickly becomes who gives AF

            The elephant in the room here is KYC and AML, requiring these records be collected, checked and verified by multiple businesses with (practically) no guidance or governance around ownership, management of data, minimum standards, best practice, and long term goals... it all just amplifies how little anyone can achieve can last until we resolve problems of Trust in an open, public, way. Centralisation of PII in insecure, obscure, government systems is a patch dressed up as latex, and has plenty of problems of its own.

            1. Roo
              Windows

              Re: Who owns the data once the individual 'hands it over' quickly becomes who gives AF

              There are laws around ownership and management of KYC / AML data. The problem is enforcement (or lack thereof), it appears to be very weak and very selective in it's application.

    2. tmTM

      Re: "Get yourselves an $800 million dollar budget and secure the damn thing."

      or spend zero dollars, but make the database open for anyone to search.

      Then it has no value, so it's not worth stealing.

  2. Mike 137 Silver badge

    But ...

    As the list ostensibly consists of profiles of "bad people", the greatest societal threat would seem to be fabrication of records about innocent folks, rather than leaking of real records.

    1. KarMann Silver badge

      Re: But ...

      But it's not just 'bad people', it's also what are known as 'Politically Exposed Persons', including such as the judges mentioned. They, for example, aren't just judges on the take, but any judge who might be a target for bribery. And whilst many may have a lower opinion of politicians as a class, for the most part, they aren't the sort that should be barred from banking just for being a politician.

      1. KarMann Silver badge

        Re: But ...

        Thinking it through even a bit further, even a judge who hadn't been corrupted, might be made more vulnerable to corruption by the kind of info in this breach. So no, not good at all.

        (This was to be an ETA, but I ran out of time to edit just as I was finishing typing it.)

  3. Khaptain Silver badge
    Holmes

    GhostR contacted El Reg

    Is there something we don't know about, like an El Reg insider that has a secondary past-time ?

    1. seven of five

      Re: GhostR contacted El Reg

      They'd love to tell you, but then they'd have to kill you?

  4. Anonymous Coward
    Anonymous Coward

    You know....the sort of people who accept Fortnum & Masons bags stuffed with folding......

    ....guess who? I wonder what the database details say?

  5. Robert Grant

    > Sources speaking to The Register at the time claimed HSBC also may have closed the mosque's account because of a donation made to an unspecified Palestinian org during its 2015 war with Israel. In 2021, the mosque won a libel case against the news agency, which had to pay unspecified damages as its wrongful placement on the list caused banks to refuse to accept the mosque as a customer.

    For anyone else who couldn't follow who "the news agency" was, it's Thompson Reuters, mentioned way up higher in the article.

  6. sitta_europea Silver badge

    "No bank wants to be associated with a known money launderer, after all."

    Now if they're *unknown* money-launderers, well...

  7. JimmyPage Silver badge

    Are lists of dodgy criminals secret ?

    In the UK they're in the public domain. It's called "The Cabinet"

    1. MachDiamond Silver badge

      Re: Are lists of dodgy criminals secret ?

      The compilation will have more value than the sum of the parts and getting on the list likely doesn't mean that a court somewhere has looked at evidence and convicted a person on the list. Read: carp tons of politics. A news agency might keep such a list of persons where the suspicion they are naughty is valuable in the same way as law enforcement agencies, but not for sharing around. If I read the article correctly, somebody is trying to duck responsibility by claiming that the data was hacked from another source than the original file. This is one of those things where the liability shouldn't be able to be shed. A dangerous product was "shared" with their "partners" and one of those partners screwed up. If the originator is also on the hook, maybe they'll be more cautious next time or keep such things in-house and air-gapped.

    2. MachDiamond Silver badge

      Re: Are lists of dodgy criminals secret ?

      "n the UK they're in the public domain. It's called "The Cabinet""

      In the US, the terms "congress" and "government employee" are used.

      1. parlei

        Re: Are lists of dodgy criminals secret ?

        Back when a certain Supreme was in the news for not seeing all expense luxury vacations as a problem a lot of normal government employees described the rules they operated under. As in if they inspected a facility they had to pay for their own coffee. Supposedly some companies kept a separate coffee machine where you could pay for it just for this purpose, even if everyone else got theirs for free.

        So I suspect that the risk category is rather "politically appointed government official".

  8. tiggity Silver badge

    suspected terrorists

    In many cases this will not be actual terrorists but just people who disagree with the policies / actions of various "Western" governments

    1. Anonymous Coward
      Anonymous Coward

      Re: suspected terrorists

      and if Russia contributes to the list, it will include all members of Jehovah's Witnesses and various other harmless folk, plus anyone who doesn't support the Special Military Operation (TM) and and and.

      I hope someone at the bank actually *reads* the "why this person's on the list" field, not just summarily dismiss anyone who is.

  9. Alan Brown Silver badge

    Incorrect assertion

    "This was not a security breach of LSEG/our systems,"

    Yes it was. Your systems allowed a 3rd party to have access to the data without THEIR security being vetted

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like