Hackers Are Threatening To Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

An anonymous reader shares a report: A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime. The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.

World-Check is a screening database used for "know your customer" checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm. A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

Crminals

[RitchCraft]

Criminals outing criminals. What is this world coming to!?

Re:

[geekmux]

Criminals outing criminals. What is this world coming to!?

Coming to? Criminals outing criminals describes every patent dispute between mega corps for the last two decades. We’ve been down this sponsored road for a while now.

Re:

[Ostracus]

Honor among thieves is a myth. It would be funny if they did release it, not only as an outing, but a way of making a lot of personal enemies, that have no ethics in solving a particular problem.

Re:

[tlhIngan]

Honor among thieves is a myth. It would be funny if they did release it, not only as an outing, but a way of making a lot of personal enemies, that have no ethics in solving a particular problem.

The quote is "There is no honor among thieves". It never existed in the first place. Because if crooks can't be trusted (they're a crook, they already did the crime), why would a crook trust a crook?

I mean, they're willing to break rules to get what t hey want, so why would they suddenly be willing to obey a rule in

Re:Crminals

[zeeky boogy doog]

Multiple years of the House GQP "investigating" and they have absolutely nothing. To the point that one of the Democrats on the panel, in the same hearing in which one of the "witnesses" adamantly claimed to have total proof of all the corruption, called their bluff and hilariously motioned to advance the impeachment to the full House... and every one of the liars running the circus went silent.

That's right, a Democrat made the motion to impeach Biden on the full floor and the liars who claimed to be "investigating" folded like a cheap tent in a hurricane.

Because they know it's all a lie. A sham, perpetrated for the sole reason of allowing other liars to claim Biden is "under investigation."

Re:

[BeaverCleaver]

Got a link?

Are they on the list?

[alvinrod]

Are they on the list and if not will they add themselves? Extortion is a pretty serious crime after all.

Sanctions, Financial Crimes ... and

[laughingskeptic]

people who have just generally irritated other bankers. -- That is how you get to 5.3 million records. The U.S. government's list is under 20,000 persons and entities: https://www.trade.gov/consolid... [trade.gov]

Re:

[Anonymous Coward]

That is far from a full and complete list.

I hope they release it

[Baron_Yam]

To hell with secret blacklists.

Too many options ...

[fahrbot-bot]

5.3 million records ... potential customers for links to sanctions and financial crime. ...prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.

[insert Trump jokes here]

Access to some data should be rate-limited

[davidwr]

Sensitive data should be hard to steal in bulk.*

Put the data warehouse behind a slow-speed link - one that's just fast enough for normal, expected traffic. "Slow speed link" may vary by time-of-day or other circumstances.

The goal is that if there's a big rush of traffic, requests will get queued or dropped and someone will notice and be able to hit the "emergency stop" button.

Sensitive data that will never be needed "in real time" should be stored in a system that can only be accessed by a few people (or robots serving the same purpose) who have the job of taking requests, copying the data to temporary storage, then moving the temporary storage to someplace where the person who needs it can get to it. Think of it as a cache with a 5-minute loading time.

If industry does this, some things will be less convenient and more expensive to run, but the risks of large-scale, hit-and-run data thefts will go way down. This won't fix small-scale thefts or slowly-drain-the-data-warehouse attacks, but it will help.

* Sensitive data should be hard to steal, period, but that may be too much to ask.

A Taken Esc Movie

[Disco Ninja]

I am not sure from whom they are trying to extort money from but it seems odd for anyone not implicated by the data to care sufficiently to pay to prevent the spread of the data. Also this sounds like a fantastic premise for an off hinged taken esc movie but now with criminals vs criminal so we can cheer in the audience no matter whom is killed.

Re:

[Seven Spirals]

... and I'm cheering like a mother fucker. HOOO-FUCKING-RAAAAHHH! I further hope that any company that has secret Stasi-style blacklists gets hacked daily, has all their data released, and subsequently goes out of business.

Re:

[dcooper_db9]

That database contains highly sensitive information on 2.7 million people, many of whom have never been accused of a crime. Business that access the database are contractually bound to secrecy. People on the list don't know it and have no recourse if they are denied loans, jobs, or business opportunities as a result. https://www.vice.com/en/articl... [vice.com]

Re: A Taken Esc Movie

[Disco Ninja]

The article specifically states a database that checks for links to financial crimes and sanctions. The terrorist watch list is entirely different. You are right that none of the Russian oligarchs on a sanction list have committed any crimes that have been judged as a crime in a court of law so I guess we should keep doing business with them. Long live the CCCP comrade!

Re: A Taken Esc Movie

[Disco Ninja]

Check out Wikipedia for a better source. There have been false positives but theyâ(TM)ve compensated each one while readily admitting their mistake. The terrorist watch list is made by the United States government and that linked article goes into the terrible details though well known since bush junior days sadly. https://en.m.wikipedia.org/wik... [wikipedia.org]

Re:

[dcooper_db9]

At the time of the article's publication there were 2.7 million people in the database and only 93,000 of those people were categorized as having a connection to terrorism. I'm not opposed to maintaining a list of people who should be barred from access to the international financial system. However there should be transparency, accountability, and recourse for those wrongfully accused.

Threatening who?

[fuzzyfuzzyfungus]

I'm a little confused by who is supposed to be caving to the threat here. It's a paid database, so I assume that Thompson-Reuters/Refinitiv aren't thrilled; but it was apparently stolen from one of their customers, not directly from them, so their reputation for security competence isn't really affected; and I suspect that most of the people paying for access to this sort of database need something authoritative that ticks the "I'm really trying to know my customer, really" box when feds or auditors come ar

Re:

[PPH]

The "know your customer" system.

So if I run a seedy, money laundering, tax dodging business and I see my companies name on this list, it's time to launch a new corporate identity and begin moving my funds through that.

The whole World-Check database scheme is just thinly veiled blackmail anyway. You suspect someone of violating financial laws or regulations, you file a complaint with the appropriate authorities. A case is taken to court and the suspect is found either guilty or innocent. If it's the latter

How much do they want for it?

[zendarva]

We could pass around the plate, maybe we could come up with the total.

The banks use KYC to bully people

[BeaverCleaver]

I recently made a complaint to my country's regulators about my bank. A few weeks, later, the bank started nagging me to "verify my identity" as part of their "KYC" procedure. The bank threatened to cut off access to my account if I didn't comply. I had a quick look through the questionnaire on their website and decided the bank was asking for way too much information, most of it not relevant for a personal bank account. I eventually went into a branch (one of the few branches they haven't closed down to save money) and showed them an ID.

Lessons learned:
1. These KYC programs is not just to target shady money launderers. Large corporations can and do use these tools to harass and intimidate innocent people.
2. If the bank wants you to log into their website (or use their app) to do anything above or beyond simply paying a bill, don't do it. Go the branch in person, even if it's a hassle.
3. Keep a few bucks in cash in case the bank maliciously cuts you off. They'll call it an "error" and it will probably get fixed eventually.... but you'll need to eat in the meantime.
4. Banks are not run by nice people. Banks don't deliver profits to their shareholders by being nice to the their customers.

Re:

[mjwx]

I recently made a complaint to my country's regulators about my bank. A few weeks, later, the bank started nagging me to "verify my identity" as part of their "KYC" procedure. The bank threatened to cut off access to my account if I didn't comply. I had a quick look through the questionnaire on their website and decided the bank was asking for way too much information, most of it not relevant for a personal bank account. I eventually went into a branch (one of the few branches they haven't closed down to save money) and showed them an ID.

Lessons learned:
1. These KYC programs is not just to target shady money launderers. Large corporations can and do use these tools to harass and intimidate innocent people.
2. If the bank wants you to log into their website (or use their app) to do anything above or beyond simply paying a bill, don't do it. Go the branch in person, even if it's a hassle.
3. Keep a few bucks in cash in case the bank maliciously cuts you off. They'll call it an "error" and it will probably get fixed eventually.... but you'll need to eat in the meantime.
4. Banks are not run by nice people. Banks don't deliver profits to their shareholders by being nice to the their customers.

This is one reason why you should never keep your money in one place, or even one format. This is why rich people don't even keep much of their cash in the same country.

Re:

[greenwow]

And one of the valid reasons to actually own at least a little in Bitcoin.

Re:

[BeaverCleaver]

And one of the valid reasons to actually own at least a little in Bitcoin.

I dabbled in bitcoin a decade ago, and left mostly because all the exchanges I dealt with seemed to have very onerous ID requirements, and unlike banks which are at least _supposed to be_ regulated, the bitcoin exchanges would just demand photos of passports, drivers licences etc with no legal assurances the info would be used/stored/deleted responsibly. Real banks screw this up often enough that I am very reluctant to trust a bitcoin exchange to do a better job.

Probable nothingburger

[sinkskinkshrieks]

The data they think they have is probably worthless because it's aggregated from national sanctions lists. In most cases, that's publicly-available info.

Good data or bad

[radarskiy]

This data has been in the hands of at least two untrustworthy parties. Do you think they are above inserting false records to implicate someone who is otherwise not a risk?