By Steve Neavling
The TSA has launched an investigation after a hacker appears to have gained access to the 2019 federal no-fly list, which includes the names and birthdates of known or suspected terrorists.
The Swiss hacker, known as maia arson crimew, leaked the list after it was being stored on an insecure server connected to a commercial airline, The Daily Dot and CNN report.
“Like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, Chinese shodan), looking for exposed jenkins servers that may contain some interesting goods,” crimew said in a blog about the leak. “At this point I’ve probably clicked through about 20 boring exposed servers with very little of any interest, when I suddenly start seeing some familiar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on. Lots of words I’ve heard before, most likely while binge watching Mentour Pilot YouTube videos. Jackpot. An exposed jenkins server belonging to CommuteAir.”
The server contained company data about CommuteAir, including the no-fly list and private information about the company’s employees.
The TSA said it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”
In a statement to the Daily Dot, Commute Air said the exposed data was used for testing purposes.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane said. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”