A foreign hacker obtained an old copy of the US government’s terrorism screening database and “no-fly” list from an unsecured server belonging to a commercial airline.
A Swiss hacker known as “maia arson crimew” blogged Thursday that she discovered the Transportation Security Administration’s 2019 “no-fly” list and a trove of data belonging to CommuteAir on an unsecured Amazon Web Services cloud server used by the airline.
The hacker told The Daily Dot that the list appears to have more than 1.5 million entries. The data allegedly included the names and dates of birth of various individuals who had been banned from air travel by the government because of suspected or known links to terrorist organizations. The Daily Dot reported that the list contains multiple aliases, so the number of unique individuals on the list is far lower at 1.5 million.
Notable individuals reported to be on the list include Russian arms dealer Viktor Bout, who was recently released by the Biden administration in exchange for WNBA star Brittney Griner, and suspected IRA members and others, The Daily Dot reports.
FAA REVEALS WHAT CAUSED COMPUTER SHUTDOWN CAUSING GROUND STOP
USA EXTENDS AIR TRAVEL MANDATE AGAINST COVID-19 FOR INTERNATIONAL VISITORS
“It’s just crazy to me how big that terrorist screening database is, and yet there are still very clear trends towards having Arabic and Russian-sounding names almost exclusively in the millions of entries,” Crimew told this newspaper.
Asked for comment, a TSA spokesman said the agency is “aware of a potential cybersecurity incident and we are investigating in cooperation with our federal partners.”
In a statement to FOX Business, CommuteAir confirmed the legitimacy of the hacked “no fly” list and the data that contained private information about the company’s employees.
FTX SAYS HACKERS STOLE $415 MILLION AFTER CRYPTOCURRENCY EXCHANGE FILES BANKRUPTCY
“CommuteAir was notified by a member of the security research community who identified a misconfigured development server,” said Erik Kane, head of corporate communications for CommuteAir. “The investigator accessed files, including an outdated version of the 2019 federal no-fly list that included the first and last name and date of birth. Additionally, through information found on the server, the investigator discovered access to a database containing personal information about a CommuteAir employee.
“Based on our initial investigation, no customer information was disclosed,” Kane added. “CommuteAir immediately shut down the affected server and began an investigation to determine the extent of data access. CommuteAir reported the data exposure to the Cybersecurity and Infrastructure Security Agency and also notified its employees.”
CommuteAir is a regional airline founded in 1989 and headquartered in Ohio. The company operates from hubs in Denver, Houston and Washington Dulles and has more than 1,600 flights per week to more than 75 US destinations and three in Mexico.
CLICK HERE TO READ MORE ABOUT FOX BUSINESS
According to Crimew’s Wikipedia page, which the hacker claims is accurate, she was indicted by a United States grand jury in March 2021 on criminal charges related to her alleged hacking activities between 2019 and 2021. Her Twitter bio describes her as “indicted hacktivist/security researcher, artist, mentally ill enby polyam trans lesbian anarchist kitten (θΔ), 23 years old.”