U.S. authorities are investigating after a hacker claimed to have found a version of the country’s no-fly list on an unsecured server linked to a commercial airline company.
The server was found while the hacker was browsing Shodan, a search engine for internet-connected devices, looking for exposed servers that may contain valuable information.
Among the 20 servers that crimew said she clicked through, this particular server caught her attention due to the presence of familiar keywords such as “ACARS” and “crew” which were related to the aviation industry. ACARS (Aircraft Communications Addressing and Reporting System) is a digital communication system used for messaging between aircraft and ground stations.
The hacker described the discovery as a “jackpot.”
TSA Investigating
The TSA has said it is investigating a “potential cybersecurity incident” following the hacker’s claim but had nothing further to say.“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” the agency said in a statement to The Epoch Times.
CommuteAir stated that the exposed server, used for testing purposes, was taken offline before publication and their initial investigation indicated that no customer information was compromised. They also confirmed that the data on the server was a version of the “federal no-fly list” from about four years ago.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane said in a statement obtained by Daily Dot.
“In addition, certain CommuteAir employee and flight information was accessible,“ he continued. ”We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
CommuteAir is an Ohio-based regional airline that took over the role of ExpressJet as the carrier for United Express in June 2020, which is United’s regional branch that operates short flights.
Not First Time
The U.S. government’s federal no-fly list was previously exposed in 2021 by another security researcher, Volodymyr “Bob” Diachenko.“I discovered the exposed data on the same day and reported it to the DHS,” Diachenko wrote on LinkedIn. “The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.”
Diachenko warned that in the wrong hands, the no-fly list could be used to target individuals.“The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime,” he wrote. “In the wrong hands, this list could be used to oppress, harrass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.”