Skip to main content


Thomson Reuters world crime and terror database leaked

Thomson Reuters' global database of thousands of people suspected of crime and links to terrorism has been leaked online.

Names, ages, dates of birth, locations and citizenship information feature in records relating to 2.2 million individuals and entities that are believed to have ties to bribery, corruption, organised crime, money laundering and other illegal activity. Some 93,000 are identified as having links to terrorism.

The database World-Check launched in 2000 and was bought by Thomson Reuters in 2011. It is used by more than 300 government agencies, including intelligence and law enforcement services, 49 of the world’s 50 largest banks and nine out of the world’s ten largest law firms to vet individuals and companies. It costs as much as £825,000 a year to use.

Thomson Reuters claims the database’s terrorism coverage “exceeds official sources by tens of thousands of records”.

It says that World-Check helps its clients to screen for “heightened risk individuals and entities globally” to “help uncover hidden risks in business relationships and human networks”. It has been accused of wrongly listing Muslims as having suspected links to terrorism. Some are believed to have had their bank accounts closed as a result.

World-Check is compiled by more than 200 Thomson Reuters research analysts who monitor more than 100,000 public information sources, such as crime watch lists, politics websites and social media. They use the information to classify individuals and companies as carrying a high risk to their clients. Every month more than 20,000 new profiles are added to the database, which covers 240 countries.

Chris Vickery, a software security researcher who discovered the database online, said it could have been found by “anyone that knows how to use a computer” and that gaining access to it was “trivially easy”. The database was secured by Thomson Reuters "working feverishly" in the hours after he discovered it, he said.

Vickery said that he intended to conduct “limited, responsible analysis” of the World-Check records and was leaning towards “not openly publicising the whole database”. The records were last updated in mid-2014, he said.

“No hacking was involved in my acquisition of this data,” Vickery said. “I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.”

Thomson Reuters spokesman David Crundwell said: “Thomson Reuters was yesterday alerted to out-of-date information from the World-Check database that had been exposed by a third party. We are grateful to Chris Vickery for bringing this to our attention and immediately took steps to contact the third party responsible. As a result we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident.” ■

The Times