The Transportation Security Administration’s No-Fly List is one of the most important ledgers in the United States and lists the names of people who are considered to be such a threat to national security that they not allowed on airplanes. You’d be forgiven then for thinking that list was a closely guarded state secret, but lol, no.
A Swiss hacker known as “maia arson crimew” got their hands on a copy of the list – albeit a version from a few years ago – not by circumventing fortress-like layers of cybersecurity, but by finding… a regional airline that had its data lying around on unprotected servers. They announced the discovery with the above photo and screenshot, in which the Pokémon Sprigatito looks eerily pleased with itself.
Like them explain in a blog post describing the processcrimew was poking around online when they discovered that CommuteAir’s servers were just sitting there:
like so many other of my hacks, this story starts with me being bored and browsing shod (or well, technically zoom eyechinese shodan), looking naked jenkins servers that may contain some interesting goods. at this point I’ve probably clicked through 20 or so boring exposed servers with very little interest when suddenly I start seeing some familiar words. “acars”, many mentions of “crew” and so on. many words I’ve heard before, probably while binge-watching Mentor pilot Youtube videos. jackpot. an exposed Jenkins server that belongs to CommuteAir.
Among other “sensitive” information on the servers was “NOFLY.CSV,” which was hilariously exactly what it said on the box: “The server contained data from a 2019 version of the federal no-fly list of first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane told the Daily pointwho worked with crimew to search the data. “In addition, certain CommuteAir personnel and flight information was accessible. We have filed a report with the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
Which includes “employee and flight information,” as crimew writes:
grab sample documents from various s3 buckets, go through flight plans and dump some dynamodb tables. at that point I had found pretty much every PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot license numbers, when their next line check is due and much more. I had trip reports for every flight, the ability to access every flight plan ever, a slew of image attachments to bookings for reimbursed flights with even more PII, aircraft maintenance records, you name it.
The government is now investigating the leak, along with the TSA tell the Daily point they are “aware of a possible cybersecurity incident, and we are investigating in coordination with our federal partners.”
If you’re wondering how many names are on the list, it’s hard to say. Crimea tells my city that in this version of the records “there are about 1.5 million entries, but since there are many different aliases for different people, it is very difficult to know the actual number of unique people on them” (an estimate from 2016 had the numbers at “2,484,442 records, consisting of 1,877,133 individual identities”).
Interestingly, since the list was uploaded to CommuteAir’s servers in 2022, it was assumed that this was the year the records came from. Instead crimew tells me ‘the only reason why we [now] know [it] is from 2019 is because the airline always confirms this in all their press statements, before that we assumed it was from 2022.”