The Transportation Security Administration’s No-Fly List is one of the most important accounts in the United States, and also contains names of people who are perceived to be such a threat to national security that they are not allowed on planes. Then you’d be forgiven for thinking the list was a closely guarded state secret, but lol, no.
A Swiss hacker known as “maia arson crimew” obtained a copy of the list – albeit a version from a few years ago – not by getting past fortress-like layers of cyber security, but by finding a regional airline that had its data lying around on unprotected servers. They announced the discovery with the image and screenshot above, where Pokémon Sprigatito looks very pleased with itself.
As they explain in a blog post describing the processcrimew was poking around the web when they found that CommuteAir’s servers were just sitting there:
like so many of my hacks this story starts with me being bored and surfing shodan (or well, technically zoomeyChinese shodan), looking for exposed jenkins servers that may contain some interesting items. at this point I’ve probably clicked through about 20 boring exposed servers with very little interest when I suddenly start seeing some familiar words. “acars”, many mentions of “crew” and so on. many words I have heard before, most likely while watching Mentor Pilot YouTube videos. jackpot. an exposed jenkins server belonging to CommuteAir.
Among other “sensitive” information on the servers was “NOFLY.CSV,” which, amusingly, was exactly what it says on the box: “The server contained data from a 2019 version of the federal no-fly list that included first and last name and date of birth,” CommuteAir Corporate Communications Manager Erik Kane told Daily dotwho worked with crimew to sift through the data. “Additionally, certain CommuteAir employee and flight information was available. We have submitted a notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
That “employee and flight information” includes, as crimew writes:
fetch sample documents from various s3 buckets, loop through flight plans and dump some dynamodb tables. at this point I had found pretty much all the PII imaginable for each of your crew members. full name, addresses, telephone numbers, passport numbers, flight certificate numbers, when their next line check is due and much more. I had travel sheets for every flight, the potential to access every flight schedule ever, a whole bunch of picture attachments to bookings for refund flights that contained yet more PII, flight maintenance data, you name it.
The government is now investigating the leak, along with the TSA says Daily dot they are “aware of a potential cybersecurity incident and we are investigating in coordination with our federal partners.”
If you’re wondering how many names are on the list, it’s hard to tell. Crimew tells my city that in this version of the records “there are about 1.5 million entries, but given many different aliases for different people, it is very difficult to know the actual number of unique people on it” (an estimate for 2016 had the numbers of “2,484,442 records, consisting of 1,877,133 individual identities”).
Interestingly, given that the list was uploaded to CommuteAir’s servers in 2022, it was assumed that was the year the records were from. Instead, crimew tells me “the only reason we [now] know [it] is from 2019 is because the airline keeps confirming it in all its press releases, before that we assumed it was from 2022.”
You can check out crimew’s blog herewhile Daily dot post – which says names on the list include members of the IRA and an eight-year-old –is here.