- A Swiss hacker says she found a copy of the FBI’s “no-fly” list on an unsecured server.
- The 2019 list, with over 1.5 million entries, includes a huge number of Muslim travelers.
- The server, maintained by CommuteAir, also held employees’ private information, such as passport numbers.
The FBI’s terror watchdog’s secret list just got a little less mysterious thanks to a pesky Swiss hacker who was probing vulnerable servers in her spare time.
Maia arson crimew, described by the Justice Department as a “prolific” hacker in an unrelated indictment, said she was clicking through an Internet search engine full of unsecured servers on Jan. 12 when she accessed one maintained by a little-known airline and found highly sensitive documents, along with what she called the “jackpot” of other information.
The Daily Dot first reported Thursday that the server, hosted by CommuteAir, the regional airline that partners with United Airlines to form United Express routes, contained among its files a redacted version of the 2019 anti-terrorism “no-fly” list. The “NoFly.csv” and “selectee.csv” files found by crimew contain more than 1.8 million entries including the names and dates of birth of people the FBI identifies as “known or suspected terrorists” who are denied boarding “when flying within , to, from and through the United States.”
A spokesperson for the airline confirmed the authenticity of the files to Insider and said the hack also found personal information belonging to employees.
“Based on our initial investigation, no customer data was exposed,” Erik Kane, a spokesperson for CommuteAir, said in a statement to Insider. “CommuteAir immediately shut down the affected server and began an investigation to determine the extent of data access. CommuteAir reported the data exposure to the Cybersecurity and Infrastructure Security Agency and also notified its employees.”
The Traffic Safety Administration confirmed to Insider that it is aware of the incident.
“We are investigating in collaboration with our federal partners,” TSA spokeswoman Lorie Dankers said in a statement to Insider.
The FBI did not immediately respond to Insider’s request for comment.
Easily accessible secrets
Crimew told Insider that it only took her a few minutes to access the server and find the credentials that allowed her to see the database. She said she was researching the servers as a way to combat boredom while sitting alone, and that she did not intend to reveal anything that would have US national security implications.
While browsing the files on the company’s server, “it dawned on me how much I already owned within just half an hour or so,” Crimew wrote in a blog post detailing the hack. The credentials she found, which gave her access to the files, would also give her access to the internal interfaces that controlled refueling, canceling and updating flights, and replacing crew members — if she was inclined, she wrote.
The huge files, reviewed by Insider, contain more than a dozen aliases for Viktor Bout, the Russian “dealer of death” who was traded in a prisoner exchange for basketball player Brittney Griner, as well as a large number of names of people suspected of organizing crime in Ireland. However, Crimew said there was a significant trend among the names.
“Looking at the files, it just confirmed a lot of things that I, and probably everyone else, kind of suspected in terms of bias in that list,” Crimew told Insider. “Just scrolling through it, you’ll see that almost every name is Middle Eastern.”
Edward Hasbrouck, a writer and human rights advocate, wrote in his analysis of the documents that the lists “confirm the TSA’s (1) Islamophobia, (2) overconfidence in the safety of its pre-crime predictions, and (3) mission creep.”
“The most obvious pattern in the data is the overwhelming preponderance of Arab or Muslim names,” Hasbrouck wrote in an essay published Friday by Papers, Please, an advocacy group dedicated to tackling creeping national identity-based travel rules.
“No Fly” mission creep
The “no-fly” list was created during the George W. Bush administration, originally starting as a small list of people who could not fly on commercial flights because of specific threats. A list was formalized and greatly expanded in scope after the 9/11 terrorist attacks on New York, a national tragedy that sparked an increase in anti-Muslim discrimination and hate crimes across the country, according to the DOJ.
Inclusion on the list prevents people identified by the FBI who “may pose a threat to civil aviation or national security” from boarding aircraft flying within, to, from, or over the United States. They don’t have to be charged or convicted of a crime to be included, they just have to be “reasonably suspected” of aiding or planning terrorist acts.
In the years since the original no fly list was formed, it has gained official federal recognition and grown from just 16 names, according to the ACLU, to 1,807,230 entries in documents found by crimew.
When you look at the list, Crimew told Insider, “you start to notice how young some of the people are.” Among the hundreds of thousands of names on the list are children of suspected terrorists, including a child whose birth date indicates she would have been four or five years old at the time they were included.
“What problem is this even trying to solve?” Crimew told Insider. “I feel like this is just a very perverse offshoot of the surveillance state. And not just in the US, this is a global trend.”
In the early 2000s, there were many reports of people wrongly placed on the “no-fly” list, including then-Senator Ted Kennedy and peace activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a federal lawsuit over the list, which led to the release of its then-30,000 names, and the TSA established an ombudsman to oversee complaints.
Not the first hack
Crimew, a staunch leftist and anti-capitalist, has been charged with conspiracy, wire fraud and aggravated identity theft in connection with a previous hack in 2021. The DOJ alleges that she and several co-conspirators “hacked dozens of companies and government entities and released private information about victims of more than 100 entities on the web.”
The outcome of the 2021 case is still pending, Crimw told Insider. Although she has not been contacted by police about the latest hack, she said she wouldn’t be surprised if she again attracted the attention of federal agencies.
“That’s just a lot of personal information that could be used against people, especially in the hands of non-US intelligence agencies,” Crimew wrote in a statement to Insider. For this reason, she said she decided to publish the list through journalists and academic sources instead of freely publishing it on her blog. “I just feel dubious about publicly releasing a list full of people that some government entity considers ‘bad’. (Not that the US doesn’t use it against people, it just doesn’t need to get into the hands of even more people causing harm).”
CommuteAir faced a similar data breach in November, CNN reported, after an “unauthorized party” accessed information including names, dates of birth and partial Social Security numbers held by the airline.
Crimew told Insider that the company’s lack of investment in its cybersecurity was a failure caused by corporate greed, saying it was cheaper for the company to reduce its security procedures and pay to deal with the fallout than to properly invest in a more secure system.
“Even the fact that they’ve been hacked before obviously wasn’t enough for them to really invest in it. And that really just shows where the priorities are,” Crimew told Insider: “I just hope that maybe they learned a lesson the second time around.”