The TSA’s no-fly list, containing the identities of known or suspected terrorists, has been discovered sitting on the public internet by a hacker who stumbled upon it when she was bored.
Consisting of 1.5 million entries with names and birthdates, the document was found within a computer server hosted by regional Ohio-based airline CommuteAir under a text file plainly titled “No-Fly.csv.”
“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” said TSA in a statement.
The Swiss hacker, who goes by maia arson crimew online, said she had been using Shodan at the time, a search engine used by those in the cybersecurity community to locate servers exposed to the open internet.
She notified CommuteAir and published the details of her discovery in a blog post titled “How to completely own an airline in 3 easy steps,” describing the revelation as a “jackpot.”
“I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of shodan/zoomeye results,” she added.
CommuteAir confirmed the authenticity of the document to tech news outlet The Daily Dot, which first reported on the data exposure, but said that the list dates back to 2019.
The airline also confirmed that the server did contain the personal details of around 900 employees, including names, birthdates, and the last four digits of Social Security numbers, but it did not have any customer information, according to the results of the continued investigation.
CommuteAir added that the server was a “development server” used for testing purposes and that it has now been taken offline.
Exposed data
The list reportedly contains the details of convicted Russian arms dealer Viktor Bout and 16 other aliases, who was recently sent back to Russia by the Biden administration in a prisoner exchange for WNBA star Brittney Griner.
It also includes several suspected members of the IRA, and even the names of children, according to the hacker, who stated that one such entry’s birth date would make the child 8 years old.
The hacker has pointed out, alongside other researchers, that the list contains a large percentage of Arabic or Middle Eastern names.
“It’s just crazy to me how big that Terrorism Screening Database is, and yet there is still very clear trends toward almost exclusively Arabic and Russian-sounding names throughout the million entries,” she said.
Hacker known to authorities
This is not the first time that hacker maia arson crimew has made some waves. Age 23, from Switzerland, she has previously gone by the name Tillie Kottmann and described herself as a cybersecurity researcher, according to a report by CNN.
She was allegedly involved in the breach of U.S. Security camera maker Verkada in 2021, accessing live feeds of thousands of cameras inside hospitals and prisons.
In the same year, a person with the same name was indicted by a U.S. Grand jury for taking part in a conspiracy hacking into multiple companies and government organizations as well as posting stolen data online.
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.