The Transportation Security Administration’s no-fly list is one of the largest registries in the United States, containing as it does the names of people who are perceived to be such a threat to national security that they are forbidden on airplanes. You would have been forgiven then for thinking that this list was a well-kept state secret, but lol, no.
A Swiss hacker known as ‘maia arson crimew’ got his hands on a copy of the list, albeit a version from a few years ago, not bypassing layers Fortress-like cybersecurity systems, but… finding a regional airline that had its data lying around on unprotected servers. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito looks awfully pleased with themselves.
As they explain in a blog post detailing the processcrimew was digging online when they found CommuteAir’s servers were right there:
like so many of my hacks, this story begins with boredom and navigation shodan (or, technically zoomeyeChinese shodan), looking for exposed jenkins servers that may contain interesting goods. at this point i’ve probably clicked through about 20 annoying exposed servers with very little interest, when i suddenly start seeing some familiar words. “mitesmany mentions of “crew” and so on. many words I’ve heard before, probably from binge-watching mentor pilot youtube videos. jackpot. an exposed jenkins server owned by CommuteAir.
Other “sensitive” information on the servers was “NOFLY.CSV”, which was hilarious exactly what it says on the box: “The server contained data from a 2019 version of the federal list of flight ban that included first and last names and dates of birth,” Erik Kane, CommuteAir’s director of corporate communications say it daily itemwho worked with crimew to sift through the data. “In addition, some CommuteAir employee and flight information was accessible. We have submitted a notification to the Cybersecurity and Infrastructure Security Agency and are continuing a full investigation.
This “employee and theft information” includes, as crimew writes:
retrieve sample documents from various s3 buckets, browse flight plans, and dump some dynamodb tables. by this point, I had found just about every PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot license numbers, date of their next online check and much more. I had trip sheets for every flight, the ability to access all flight plans, a whole bunch of images attached to refunded flight bookings containing even more PII, aircraft maintenance data, etc. .
The government is now investigating the leak, along with the TSA tell the daily item they are “aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners.”
If you’re wondering how many names are on the list, it’s hard to tell. Crimea tells my city that in this version of the records “there are about 1.5 million entries, but since there are many different aliases for different people, it is very difficult to know the actual number of unique people on them” (a 2016 estimate had the numbers at “2,484,442 records, consisting of 1,877,133 individual identities”).
Interestingly, since the list was uploaded to CommuteAir’s servers in 2022, it was assumed that was the year the recordings originated from. Instead, crimew tells me “the only reason we [now] know [it] is 2019, that’s because the airline keeps confirming that in all their press releases, before that we assumed it was 2022.”
You can consult crimew’s blog herewhile the daily item post—which says the names on the list include IRA members and an eight-year-old child—is here.