The Transportation Security Administrationâs No-Fly List is one of the most important ledgers in the United States, containing as it does the names of people who are perceived to be of such a threat to national security that theyâre not allowed on airplanes. Youâd have been forgiven then for thinking that list was a tightly-guarded state secret, but lol, nope.
A Swiss hacker known as âmaia arson crimewâ has got hold of a copy of the listâalbeit a version from a few years agoânot by getting past fortress-like layers of cybersecurity, but by…finding a regional airline that had its data lying around in unprotected servers. It announced the discovery with the photo and screenshot above, in which the PokĂ©mon Sprigatito is looking awfully pleased with themselves.
As it explains in a blog post detailing the process, crimew was poking around online when it found that CommuteAirâs servers were just sitting there:
like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, chinese shodan), looking for exposed jenkins servers that may contain some interesting goods. at this point iâve probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. âACARSâ, lots of mentions of âcrewâ and so on. lots of words iâve heard before, most likely while binge watching Mentour Pilot YouTube videos. jackpot. an exposed jenkins server belonging to CommuteAir
Among other âsensitiveâ information on the servers was âNOFLY.CSVâ, which hilariously was exactly what it says on the box: âThe server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,â CommuteAir Corporate Communications Manager Erik Kane told the Daily Dot, who worked with crimew to sift through the data. âIn addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.â
That âemployee and flight informationâ includes, as crimew writes:
grabbing sample documents from various s3 buckets, going through flight plans and dumping some dynamodb tables. at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilotâs license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.
The government is now investigating the leak, with the TSAtelling the Daily Dot they are âaware of a potential cybersecurity incident, and we are investigating in coordination with our federal partnersâ.
If youâre wondering just how many names are on the list, itâs hard to tell. Crimew tells Kotaku that in this version of the records âthere are about 1.5 million entries, but given a lot are different aliases for different people itâs very hard to know the actual number of unique people on itâ (a 2016 estimate had the numbers at â2,484,442 records, consisting of 1,877,133 individual identitiesâ).
Interestingly, given the list was uploaded to CommuteAirâs servers in 2022, it was assumed that was the year the records were from. Instead, crimew tells me âthe only reason we [now] know [it] is from 2019 is because the airline keeps confirming so in all their press statements, before that we assumed it was from 2022.â
You can check out crimewâs blog here, while the Daily Dot postâwhich says names on the list include members of the IRA and an eight year-oldâis here.
