The TSAs no-fly list, containing the identities of known or suspected terrorists, has been discovered sitting on the public internet by a hacker who stumbled upon it when they were bored.
Consisting of 1.5 million entries with names and birthdates, the document was found within a computer server hosted by regional Ohio-based airline CommuteAir under a text file plainly titled No-Fly.csv.
TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners, said TSA in a statement.
The Swiss hacker, who goes by maia arson crimew online, said she had been using Shodan at the time, a search-engine used by those in the cybersecurity community to locate servers exposed to the open internet.
She notified CommuteAir, and published the details of her discovery in a blog post titled how to completely own an airline in 3 easy steps, describing the revelation as a jackpot.
I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of shodan/zoomeye results, she added.
CommuteAir confirmed the authenticity of the document to tech news outlet The Daily Dot, which first reported on the data exposure, but said that the list dates back to 2019.
They also confirmed that the server did contain the personal details of around 900 employees, including names, birth dates and the last four digits of social security numbers, but it did not have any customer information, according to the results of their continued investigation.
The airline added that the server was a development server used for testing purposes, and that it has now been taken offline.
Exposed data
The list reportedly contains the details of convicted Russian arms dealer Viktor Bout and 16 other aliases, who was recently sent back to Russia by the Biden administration in a prisoner exchange for WNBA star Brittney Griner.
It also includes several suspected members of the IRA, and even the names of children, according to the hacker who stated that one such entrys birth date would make them eight years old.
The hacker has pointed out, alongside other researchers, that the list contains a large percentage of Arabic or Middle Eastern names.
Its just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries, she said.
The server also contains significant details of roughly 900 CommuteAir employees including names, birth dates and the last four digits of their social security numbers.
Hacker known to authorities
This is not the first time that hacker maia arson crimew has made some waves. Aged 23, from Switzerland, she has previously gone by the name Tillie Kottmann and described herself as a cybersecurity researcher, according to a report by CNN.
She was allegedly involved in the breach of U.S. security camera maker Verkada in 2021, accessing live feeds of thousands of cameras inside hospitals and prisons.
In the same year, a person with the same name was indicted by a U.S. grand jury for taking part in a conspiracy hacking into multiple companies and government organizations as well as posting stolen data online.
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.