A copy of the U.S. No Fly List has leaked after being stored on an unsecure server connected to a commercial airline. The No Fly List is an official list maintained by the U.S. government of people it has banned from traveling in or out of the United States on commercial flights.
As first reported by The Daily Dot, a Swiss hacker known as maia arson crimew discovered the list on an unsecured Jenkins server one night while poking around on Shodan, a search engine that lets people look through servers connected to the internet.
“Like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, Chinese shodan), looking for exposed jenkins servers that may contain some interesting goods,” crimew said in a blog about the leak. “At this point I've probably clicked through about 20 boring exposed servers with very little of any interest, when I suddenly start seeing some familiar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on. Lots of words I've heard before, most likely while binge watching Mentour Pilot YouTube videos. Jackpot. An exposed jenkins server belonging to CommuteAir.”
On the server was a large amount of company data about CommuteAir, including the private information about its employees. There was also a file containing a copy of a 2019 edition of the No Fly List. The list includes names and birth dates and more than 1.5 million entries, but many of those entries are aliases that all reference the same person.“It’s so much bigger than I thought it’d be,” crimew told Motherboard.
“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” a spokesperson for the TSA told Motherboard.
The United States has maintained a No Fly List for decades, but its number was much smaller in the days before 9/11 and only contained 16 people. After the attacks and the creation of the Department of Homeland Security, the list rapidly expanded. The exact number of people on the list is unknown, and the leaked data is a few years old and contains multiple entries for a single individual, but recent estimates put the total number at somewhere between 47,000 and 81,000 people.
“It’s a perverse outgrowth of the U.S. police and surveillance state,” crimew said. “Just a list with no due process…mostly just based on them being related to someone or being from the same village as someone. It’s so massive. I feel like this has no place anywhere. I feel like this doesn’t solve the problem.”
crimew told Motherboard they weren’t shocked to stumble on an unsecured copy of the No Fly List. “I’ve been digging into various jenkins [servers] for a while and there’s just so much to find,” they said. “It was just a matter of time until I found something like this.”
CommuteAir said the leak happened because of a misconfigured development server. “The researcher accessed files including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth,” it said. “Additionally, through information found on the server the researcher discovered access to a database containing personal identifiable information of CommuteAir employees. Based on our initial investigation, no customer data was exposed. CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.”