US No-Fly list leaked online
Hacker had no malicious intent and 'was bored'
A list of more than 1.5 million records of people who are banned from commercial flights in the USA has been posted in a hacking forum.
The list includes the names, aliases and birthdates of persons who are either confirmed to be or are strongly suspected of being terrorists.
People on the list are not allowed to fly on any commercial airlines that operate inside, to, or from the United States.
The Daily Dot was the first to report that the Swiss hacker/security researcher maia arson crimew (formerly known as Tillie Kottmann) found a copy of the United States government's No Fly List on a misconfigured AWS server.
Crimew has previously obtained information from Intel, Nissan and Verkada in a serious of high-profile and embarrassing hacks.
She found the US No Fly list while searching Shodan, a search engine for Internet-connected devices.
Crimew said CommuteAir's publicly accessible server included a text file called "NoFly.csv" with more than 1.5 million names.
She told Business Insider it took her 'just a few minutes' to access the server and find the login information necessary for her to see the database. She claimed she wasn't looking for anything that would compromise US national security; rather, she was looking around the servers to relieve boredom.
Despite efforts to remedy the breach, the No Fly list was posted to a publicly available hacking forum on 26th January.
The exposed list, which is kept hidden from the public, is a subset of the FBI's Terrorist Screening Database (TSD).
Several US government departments rely on the FBI's TSC (Terrorist Screening Center) to handle and distribute consolidated information for counterterrorism purposes. Like other TSC databases it is considered sensitive in nature, given its role in national security and law enforcement.
The leaked list includes 16 possible aliases for Viktor Bout, a well-known Russian weapons trader, according to crimew.
BleepingComputer examined a portion of two leaked CSV files with the names 'NOFLY' and 'SELECTEE'.
The second list probably refers to the few travellers who are subject to Secondary Security Screening Selection (SSSS) at airports upon arriving in the USA.
The no-fly list uploaded online has a total of 1,566,062 entries, some of which are duplicates or different spellings of the same name.
There are a total of 251,169 entries in the 'SELECTEE' list.
The Transportation Security Administration (TSA) is looking into the incident.
"On January 27, TSA issued a security directive to airports and air carriers," a spokesperson said.
"The security directive reinforces existing requirements on handling sensitive security information and personally identifiable information. We will continue to work with partners to ensure that they implement security requirements to safeguard systems and networks from cyberattacks."
A CommuteAir spokesperson said the exposed server's data included an outdated 2019 version of the federal no-fly list with names and birthdates.
After being notified of the vulnerability by a security researcher, it has now taken the server offline.
"To date, our investigation indicates that no customer data was exposed. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees."
Dr. Mark Green, who serves as chair of the Homeland Security Committee, has sent a series of questions to TSA administrator David Peter Pekoske.
Pekoske said the situation could develop into a matter of national security.
"The hacker claimed they may have been able to exploit their access to the server to cancel or delay flights and even switch out crew members," the US Homeland Security Committee Members wrote in a letter dated 26th January.
"If this were to be the case, the national security implications of this are alarming."