After a Swiss hacker discovered a copy of the FBI’s infamous “no-fly” list on an unsecured server belonging to regional US airline CommuteAir, the Transportation Security Administration is reportedly doing damage control.
The TSA acknowledged in a statement to the Daily Dot on Thursday that it was “aware of a potential cybersecurity incident” and was investigating with other federal agencies.
According to a Thursday blog post, the hacker known as’maia arson crimew’ discovered a four-year-old copy of the no-fly list, a subset of the FBI’s Terrorist Screening Database comprised of individuals barred from air travel due to known or suspected terrorist ties, while digging through an unsecured Jenkins server.
The data, which was stored in an unencrypted database file called nofly.csv, contained 1.5 million entries, names, and birth dates. While many were aliases – Viktor Bout, the Russian businessman imprisoned in the United States on arms trading charges until his recent prisoner swap with American basketball player Brittney Griner, had more than 16 alternate names and spellings listed, as well as several possible birthdays – crimew was taken aback by the length of the list.
“It’s crazy to think about how large that Terrorism Screening Database is and yet there are still very clear trends toward almost exclusively Arabic and Russian sounding names throughout the million entries,” she told the Daily Dot.
Outliers included suspected members of the Irish paramilitary group the IRA, as well as one person who, based on their birthdate, was only eight years old.
According to crimew, the server also contained private information on approximately 900 CommuteAir employees, such as names, passport numbers, addresses, and phone numbers. The airline told the Daily Dot that it had taken the server offline and reported the unauthorized access to the Cybersecurity and Infrastructure Security Agency, while emphasizing that the server was used for “testing purposes” and that no customer data had been compromised – only employee data.
In 2019, a federal judge ruled that the Terrorist Screening Database was unconstitutional, claiming that the lack of a “ascertainable standard for inclusion and exclusion” violated the due process rights of those named on the list. There have been no significant attempts to enforce that decision since. The FBI distributes the list to over 500 private-sector entities that it considers ‘law enforcement adjacent,’ as well as over 60 foreign governments.
