A U.S. No Fly list with over 1.5 million records of banned flyers and upwards of 250,000 ‘selectees’ has been shared publicly on a hacking forum.
BleepingComputer has confirmed the list is the same TSA No Fly list that was discovered recently on an unsecured CommuteAir server.
No Fly list made public
The server in question belonged to Ohio-based airline CommuteAir. Although steps were taken earlier to patch the leak, the No Fly list regardless surfaced online as of January 26th on a publicly-accessible hacking forum:
We verified with Thalen and another source that the lists posted on the forum are the same no-fly and selectee lists that were recently discovered on the CommuteAir server.
BleepingComputer reviewed a portion of these lists—provided as two CSV files named, ‘NOFLY’ and ‘SELECTEE.’ The latter list likely names some of the passengers who undergo a Secondary Security Screening Selection (SSSS) at airports when flying into the U.S.
The no-fly spreadsheet posted on the forum contains 1,566,062 records, and includes duplicates/spelling variations of some names. The ‘SELECTEE’ list comprises 251,169 records. The presence of duplicates and aliases in the list implies the total number of exposed names are fewer than 1.5 million.
Both spreadsheets contain a person’s first name, last name, potential aliases, and date of birth. The lists, according to the hacker, are from the year 2019.
The list mentions Russian arms dealer, Viktor Bout along with his 16 potential aliases, the Daily Dot observed.
FBI’s TSC (Terrorist Screening Center) is relied upon by multiple federal agencies to manage and share consolidated information for counterterrorism purposes. The agency maintains a watchlist called the Terrorist Screening Database, sometimes also referred to as the “No Fly list.”
Such databases are secretive, even if not “classified” and regarded as sensitive in nature, given the vital role they play in aiding with national security and law enforcement tasks. Terrorists or reasonable suspects who pose a national security risk are “nominated” for placement on the secret watchlist at the government’s discretion.
The No Fly list is generally withheld from the public eye. The list is, however, referenced by private airlines and multiple agencies such as the Department of State, Department of Defense, Transportation Security Agency (TSA), and Customs and Border Protection (CBP) to check if a passenger is allowed to fly, inadmissible to the U.S. or assess their risk for various other activities.
Researchers including Bob Diachenko have previously discovered secret terrorist watchlists left exposed on the internet, but these leaks were patched long before receiving mainstream news coverage. This is the first time, however, such a list has been shared on a publicly accessible website for anyone to see.
Interestingly, the list discovered in 2021 by Diachenko was rather detailed: containing fields such as names, gender, passport number along with the country of issuance, TSC ID, watchlist ID, etc. compared to the one published on the forum this month.
U.S. Government investigating
Although the security breach originated at an exposed AWS server belonging to an airline, it has sent chills down the U.S. government machinery, with government officials and lawmakers probing into the matter.
TSA has been investigating the cybersecurity incident.
“On January 27, TSA issued a security directive to airports and air carriers,” a TSA spokesperson told BleepingComputer in an updated statement.
“The security directive reinforces existing requirements on handling sensitive security information and personally identifiable information. We will continue to work with partners to ensure that they implement security requirements to safeguard systems and networks from cyberattacks.”
A source familiar with the matter told BleepingComputer that no TSA information systems were compromised as part of this breach. Additionally, the federal agency has issued an Industry Security Awareness message to all aircraft carriers to review their systems and take immediate action to ensure their files are protected.
In a statement shared with BleepingComputer, a CommuteAir spokesperson said:
“CommuteAir was notified by a member of the security research community who identified a misconfigured development server. The researcher accessed files uploaded to the server in July 2022 that included outdated 2019 versions of the federal no-fly and selectee lists that contained certain individuals’ names and dates of birth. The lists were used for testing our software-based compliance process for implementing federally-mandated security requirements. Additionally, through the server, the researcher accessed a database containing personal identifiable information of CommuteAir employees. CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. To date, our investigation indicates that no customer data was exposed. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.”
BleepingComputer has approached the FBI for comment.
An important point to note is, more than just a data leak discovery, the incident may now become a matter of national security, given the claims made by the hacker:
“Additionally, the hacker claimed they may have been able to exploit their access to the server to cancel or delay flights and even switch out crew members. If this were to be the case, the national security implications of this are alarming,” write the U.S. Homeland Security Committee Members in a letter dated January 26th:
The transport systems sector is among the 16 critical infrastructure sectors in the U.S., states the letter. “The notion that such a consequential database be left unsecure is a matter concerning cybersecurity, aviation security, as well as civil rights and liberties.”
The hacker, maia arson crimew, previously known by aliases deletescape, antiproprietary, and Tillie Kottmann, was earlier indicted by a U.S. grand jury over conspiracy, wire fraud, and aggravated identity theft charges (PDF).
The hacker was formerly involved in the Verkada hack, enabling her to gain unauthorized access to security cameras at Tesla, Cloudflare, and offices of various Verkada client organizations.