A database used by global banks, governments, law firms, and intelligence agencies to identify suspects related to terrorism, crime, corruption, and other wrongdoings leaked online.
Chris Vickery, a security researcher at the software firm MacKeeper, recently discovered an exposed version of the Thomson Reuters’ (TRI) World-Check database, which contains 2.2 million records on “heightened risk individuals and organizations,” he wrote Tuesday in a post on Reddit. Vickery said the copy he found dated to mid-2014.
“No hacking was involved in my acquisition of this data,” he wrote, mentioning that the set appeared to be “sourced from publicly available materials.” He added that he “would call it more of a leak than anything.”
Get Data Sheet, Fortune’s technology newsletter.
In an email to Fortune, Vickery further clarified that the leak involved an open source Apache database called CouchDB: “It was a CouchDB instance that anyone in the world could access, as it was configured for public access. Anyone with the URL could access and review all the records.”
Vickery told Fortune that SmartKYC, a database manager that sells its services to financial firms, was likely responsible for the misconfigured database. A Thomson Reuters spokesperson declined to comment on the attribution. Fortune has reached out to SmartKYC to confirm this detail as well, and will update this post if and when we hear back.
Thomson Reuters did confirm the leak in a statement emailed to Fortune. “Thomson Reuters was yesterday alerted to out of date information from the World-Check database that had been exposed by a third party,” the company said. “We are grateful to Chris Vickery for bringing this to our attention, and immediately took steps to contact the third party responsible—as a result we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident.”
People have criticized Thomson Reuters for its data collection methods, which can include state-sponsored news sources, as well as its designations, which opponents say can be inaccurate, as BBC’s Radio 4 reported last year. The company disagrees with such characterizations, maintaining that the database’s primary function is to help banks, for instance, comply with international sanctions.
For more on terrorism, watch:
Subscribers to World-Check include “over 300 government and intelligence agencies, 49 of the 50 biggest banks, pre-employment vetting agencies and 9 of the top 10 global law firms,” according to a Vice News story published earlier this year.
Vickery has built a reputation on discovering data where it shouldn’t be accessible. Most recently, he reported on the breach of 93 million Mexican voters’ records, caused by an error in a MongoDB (MONGODB) database.
