The Transportation Security Administration’s No-Fly List is one of the most important ledgers in the United States, containing as it does the names of people who are perceived to be of such a threat to national security that they’re not allowed on airplanes. You’d have been forgiven then for thinking that list was a tightly-guarded state secret, but lol, nope.
A Swiss hacker known as “maia arson crimew” has got hold of a copy of the list—albeit a version from a few years ago—not by getting past fortress-like layers of cybersecurity, but by…finding a regional airline that had its data lying around in unprotected servers. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito is looking awfully pleased with themselves.
As they explain in a blog post detailing the process, crimew was poking around online when they found that CommuteAir’s servers were just sitting there:
like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, chinese shodan), looking for exposed jenkins servers that may contain some interesting goods. at this point i’ve probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. “ACARS”, lots of mentions of “crew” and so on. lots of words i’ve heard before, most likely while binge watching Mentour Pilot YouTube videos. jackpot. an exposed jenkins server belonging to CommuteAir.
Among other “sensitive” information on the servers was “NOFLY.CSV”, which hilariously was exactly what it says on the box: “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane told the Daily Dot, who worked with crimew to sift through the data. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
That “employee and flight information” includes, as crimew writes:
grabbing sample documents from various s3 buckets, going through flight plans and dumping some dynamodb tables. at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.
The government is now investigating the leak, with the TSA telling the Daily Dot they are “aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners”.
If you’re wondering just how many names are on the list, it’s hard to tell. Crimew tells Kotaku that in this version of the records “there are about 1.5 million entries, but given a lot are different aliases for different people it’s very hard to know the actual number of unique people on it” (a 2016 estimate had the numbers at “2,484,442 records, consisting of 1,877,133 individual identities”).
Interestingly, given the list was uploaded to CommuteAir’s servers in 2022, it was assumed that was the year the records were from. Instead, crimew tells me “the only reason we [now] know [it] is from 2019 is because the airline keeps confirming so in all their press statements, before that we assumed it was from 2022.”