5.3 million World Check records may have been leaked; How to check your documents

World-Check's database, a “Know Your Customer” (KYC) database containing millions of records on “high-risk” individuals and organizations, may soon be leaked by hackers who claim to have stolen 5.3 million World-Check accounts. Having stolen records from a third party.

TechCrunch reported Thursday that a group called GhostR told the publication that it hacked a Singapore-based company with access to the database in March and threatened to release the data online. The alleged injured third party was not named, nor was his relationship to World-Check fully explained.

A data sample that GhostR provided to TechCrunch reportedly included names, social security numbers, bank account numbers, cryptocurrency account IDs, and passport numbers. The sample included information on thousands of individuals classified as “politically exposed persons” who are at high risk of committing financial crimes.

It's unclear whether GhostR is trying to extort the London Stock Exchange Group (LSEG), which runs World-Check, or is planning to sell the data, although TechCrunch described the group as “financially motivated.” An LSEG spokesperson told the publication that the company's proprietary systems were not breached and that the company is working with third parties and authorities to ensure the protection of data.

How to check whether your records exist in the World Check database

The World Check Screening Database is offered as a subscription service for companies to conduct KYC checks and determine whether potential customers may be linked to financial crimes such as money laundering or violating government sanctions.

World-Check came into LSEG's ownership in 2021 when LSEG purchased financial data company Refinitiv for $27 billion.

World-Check has been criticized in the past for incorrectly labeling individuals and organizations as high-risk; For example, in 2017, Maajid Nawaz, founder of the now-defunct British think tank Quillium, successfully sued the database's then owner, Thomson Reuters, for incorrectly including his name in the “terrorism” category.

Anyone concerned that their information may be included in the database can submit a request to LSEG. The LSEG website states that data subjects have the right to request a copy of the personal data held about them, to request updates to the personal data held and to object to the processing of their personal data, and that there is no cost for requests.

The website also notes that LSEG may not always be able to fulfill requests and will provide an explanation if a request cannot be processed.

The reported GhostR hack is not the first time that records from the World Check database have been leaked. In 2016, more than 2 million records from the database were leaked by an unknown third party and discovered by security researcher Chris Vickery. Thomson Reuters confirmed the leak, noting that the exposed records were “out of date” and reporting that the records were removed by the third party after they were discovered.