The database with over 1.5 million names and aliases was allegedly discovered on an unsecured server
The US Transportation Security Administration is reportedly doing damage control after a Swiss hacker found a copy of the FBI’s infamous “no-fly” list on an unsecured server belonging to regional US airline CommuteAir.
In a statement to tech outlet the Daily Dot on Thursday, the TSA acknowledged it was “aware of a potential cybersecurity incident” and investigating with other federal agencies.
The hacker, who goes by the name ‘maia arson crimew’, found a four-year-old copy of the no-fly list, a subset of the FBI’s Terrorist Screening Database comprised of individuals forbidden from air travel over their known or suspected terrorist ties, while digging through an unsecured Jenkins server, according to a Thursday blog post.
Stored in an unencrypted, helpfully-named database file as nofly.csv, the data included 1.5 million entries, names and birth dates. While many were aliases – Viktor Bout, the Russian businessman imprisoned in the US on arms trading charges until the recent prisoner swap with American basketball player Brittney Griner, had more than 16 alternate names and spellings listed, plus several possible birthdays – crimew nevertheless expressed shock at the size of the list.
“It’s just crazy to know how big that Terrorism Screening Database is and yet there is still very clear trends toward almost exclusively Arabic and Russian sounding names throughout the million entries,” she told the Daily Dot.
Outliers included suspected members of Irish paramilitary group the IRA, as well as one individual who – judging by their birthdate, at least – was only eight years old.
The server also included private information on about 900 CommuteAir employees, including names, passport numbers, addresses, and phone numbers, according to crimew. The airline told the Daily Dot it had taken the server offline and reported the unauthorized access to the Cybersecurity and Infrastructure Security Agency, while stressing that the server had been used for “testing purposes” and no customer data was breached – only that of employees.
A federal judge ruled the Terrorist Screening Database unconstitutional in 2019, arguing that because there was no “ascertainable standard for inclusion and exclusion,” it violated the due process rights of those named on the list. There have been no meaningful attempts to enforce that ruling since. The FBI shares the list with over 500 private-sector entities it deems ‘law enforcement adjacent,’ as well as over 60 foreign governments.