TSA ‘no fly’ list leaked after being found on unsecured airline server

A foreign hacker obtained an old copy of the U.S. government’s Terrorist Screening Database and “no fly” list from an unsecured server belonging to a commercial airline.

The Swiss hacker known as “maia arson crimew” blogged Thursday that she discovered the Transportation Security Administration “no fly” list from 2019 and a trove of data belonging to CommuteAir on an unsecured Amazon Web Services cloud server used by the airline.

The hacker told The Daily Dot the list appeared to have more than 1.5 million entries. The data reportedly included names and birthdates of various individuals who have been barred from air travel by the government due to suspected or known ties to terrorist organizations. The Daily Dot reported that the list contains multiple aliases, so the number of unique individuals on the list is far less at 1.5 million.

Noteworthy individuals reported to be on the list include Russian arms dealer Viktor Bout, who was recently freed by the Biden administration in exchange for WNBA star Brittney Griner, and suspected members of the IRA and others, according to The Daily Dot.

“It’s just crazy to me how big that terrorism screening database is, and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” crimew told the outlet.

Reached for comment, a TSA spokesman said the agency is “aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners.”

In a statement to FOX Business, CommuteAir confirmed the legitimacy of the hacked “no fly” list and data that contained private information about the company’s employees.

“CommuteAir was notified by a member of the security research community who identified a misconfigured development server,” said Erik Kane, corporate communications manager for CommuteAir. “The researcher accessed files, including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth. Additionally, through information found on the server, the researcher discovered access to a database containing personal identifiable information of CommuteAir employees.

“Based on our initial investigation, no customer data was exposed,” Kane added. “CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency and also notified its employees.”

CommuteAir is a regional airline founded in 1989 and based in Ohio. The company operates with hubs in Denver, Houston and Washington Dulles and operates more than 1,600 weekly flights to over 75 U.S. destinations and three in Mexico.

According to crimew’s Wikipedia page, which the hacker maintains is accurate, she was indicted by a grand jury in the United States in March 2021 on criminal charges related to her alleged hacking activity between 2019 and 2021. Her Twitter bio describes her as “indicted hacktivist/security researcher, artist, mentally ill enby polyam trans lesbian anarchist kitten (θΔ), 23 years old.”