US No-Fly List Exposed Again by Hacker, TSA Investigating

US No-Fly List Exposed Again by Hacker, TSA Investigating
A United Airlines Boeing 737 takes off from Los Angeles International Airport (LAX) in Los Angeles on June 16, 2022. Daniel Slim/AFP via Getty Images
Caden Pearson
Updated:
0:00

U.S. authorities are investigating after a hacker claimed to have found a version of the country’s no-fly list on an unsecured server linked to a commercial airline company.

The Swiss hacker, who goes by the name maia arson crimew, said in a blog post that she recently discovered the list on an unsecured Jenkins server belonging to national airline CommuteAir. The Transportation Security Administration’s (TSA) no-fly database lists known or suspected terrorists who are prohibited from flying.

The server was found while the hacker was browsing Shodan, a search engine for internet-connected devices, looking for exposed servers that may contain valuable information.

Among the 20 servers that crimew said she clicked through, this particular server caught her attention due to the presence of familiar keywords such as “ACARS” and “crew” which were related to the aviation industry. ACARS (Aircraft Communications Addressing and Reporting System) is a digital communication system used for messaging between aircraft and ground stations.

The hacker described the discovery as a “jackpot.”

Crimew said she discovered a text file on the server named “NoFly.csv” which contained sensitive information about almost 1,000 CommuteAir employees and a list of over 1.5 million entries about individuals (and their aliases) from the Terrorist Screening Database.

TSA Investigating

The TSA has said it is investigating a “potential cybersecurity incident” following the hacker’s claim but had nothing further to say.

“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” the agency said in a statement to The Epoch Times.

The breach, first reported by Daily Dot, reportedly includes the identities of hundreds of thousands of individuals and was left publicly exposed online by CommuteAir.

CommuteAir stated that the exposed server, used for testing purposes, was taken offline before publication and their initial investigation indicated that no customer information was compromised. They also confirmed that the data on the server was a version of the “federal no-fly list” from about four years ago.

“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane said in a statement obtained by Daily Dot.

“In addition, certain CommuteAir employee and flight information was accessible,“ he continued. ”We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”

CommuteAir is an Ohio-based regional airline that took over the role of ExpressJet as the carrier for United Express in June 2020, which is United’s regional branch that operates short flights.

The Epoch Times contacted CommuteAir for further comment.

Not First Time

The U.S. government’s federal no-fly list was previously exposed in 2021 by another security researcher, Volodymyr “Bob” Diachenko.
Diachenko said he came across the exposed data on July 19, 2021, after it was indexed by search engines Censys and Zoomeye, both similar to Shodan.

“I discovered the exposed data on the same day and reported it to the DHS,” Diachenko wrote on LinkedIn. “The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.”

Diachenko warned that in the wrong hands, the no-fly list could be used to target individuals.

“The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime,” he wrote. “In the wrong hands, this list could be used to oppress, harrass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.”