Although the list is outdated, the TSA is investigating, calling the accident a potential cybersecurity incident.
A Swiss hacker reportedly discovered access to an unsecured server containing thousands of individuals’ identities from the United States Terrorist Screening Database and No Fly List. CommutAir, the regional carrier flying under United Airlines’ United Express brand, left the server exposed on the internet.
According to the Daily Dot, the server revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees. The hacker also said there were more than a million entries on the No Fly List.
An investigation has been launched
CommutAir Corporate Communications Manager Erik Kane confirmed the incident to the Daily Dot and said the airline is investigating.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth. In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.” – Erik Kane, CommuteAir Corporate Communications Manager
The regional airline reportedly said the exposed server was for testing purposes and did not expose any customer information based on an initial investigation. The server has since been taken offline.
The Transportation Security Administration (TSA) is also investigating, according to CNN.
“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners.”
What did the hacker find?
According to the Daily Dot, the hacker’s discovery of the server resulted in the analysis of a text file entitled “No Fly.csv,” which was the list of individuals in the US Terrorist Screening Database who have been banned from air travel from having suspected or known ties to terrorist organizations.
The hacker said the file appeared to have a total of 1.5 million entries and included several entries with false or assumed identities. Numerous names reportedly included aliases that were commonly misspelled or had slightly altered versions of their names.
Several notable names were included on the list, including Viktor Bout, a Russian arms dealer recently released as part of an exchange with US basketball player Brittney Griner. Along with Bout, there are reportedly over 16 potential aliases for him. They comprised different misspellings of Bout, other versions of his first name, and different birthdays. Many of the birthdates did, however, align with the recorded date Bout was born.
Other figures on the list include suspected members of the Irish Republican Army and an individual who was only eight years old, based on their birthdate. Many names also appeared to be of Arabic or Middle Eastern descent, although Hispanic and Anglican-sounding words were also on the list.
Details on the hacker
The hacker, identified as Maia arson crimew, formerly Tillie Kottmann, spoke to the Daily Dot about the demographic of some of the names on the list.
“It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries.”
The hacker, who also referred to themselves as a security researcher, has come under fire for their hacks. In 2021, crimew was indicted for conspiracy, wire fraud, and aggravated identity theft, according to the US Department of Justice.
Sources: Daily Dot, CNN