- A Swiss hacker says she found a copy of the FBI’s “no-fly” list on an unsecured server.
- The 2019 list, with over 1.5 million entries, includes an overwhelming number of Muslim passengers.
- The server, maintained by CommuteAir, also held private employee data, such as passport numbers.
The FBI Terrorism Screening Center’s secret “no-fly” list just got a lot less mysterious thanks to a bored Swiss hacker who was exploring unsecured servers in her free time.
Maia arson crimew, described by the Department of Justice as a “prolific” hacker in an unrelated indictment, said she was clicking around on an online search engine full of unprotected servers on January 12 when she accessed one maintained by a little-known airline and found the highly sensitive documents, along with what she called a “jackpot” of other information.
The Daily Dot first reported on Thursday that the server, hosted by CommuteAir, a regional airline that partners with United Airlines to form United Express routes, contained among its files a redacted 2019 version of the anti-terrorism “no-fly” list. The files “NoFly.csv,” and “selectee.csv” found by crimew contain over 1.8 million entries including names and dates of birth of people the FBI identifies as “known or suspected terrorists” who are prevented from boarding aircraft “when flying within, to, from and over the United States.”
A spokesperson for the airline confirmed the authenticity of the files to Insider and said personally identifiable information belonging to employees was also found in the hack.
“Based on our initial investigation, no customer data was exposed,” Erik Kane, a spokesperson for CommuteAir, said in a statement to Insider. “CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.”
The Transportation Security Administration confirmed to Insider that it had been made aware of the incident.
“We are investigating in coordination with our federal partners,” Lorie Dankers, a spokesperson for the TSA, said in a statement to Insider.
The FBI did not immediately respond to Insider’s request for comment.
Easily accessible secrets
Crimew told Insider it took just minutes for her to access the server and find credentials that allowed her to see the database. She said she was exploring the servers as a way to combat boredom while sitting alone and didn’t intend to discover something with US national security implications.
While browsing files in the company’s server, “it dawned on me just how heavily I had already owned them within just half an hour or so,” crimew wrote in a blog post detailing the hack. The credentials she found, which gave her access to the files, would also allow her access to internal interfaces that controlled refueling, canceling and updating flights, and swapping out crew members — if she were so inclined, she wrote.
The massive files, reviewed by Insider, contain over a dozen aliases for Viktor Bout, the Russian “Merchant of Death” who was traded in a prisoner swap for basketball player Brittney Griner, as well as a large number of names of people suspected of organized crime in Ireland. However, crimew said there was a notable trend among the names.
“Looking at the files, it just confirmed a lot of the things me, and probably everyone else, kind of suspected in terms of what biases are in that list,” crimew told Insider. “Just scrolling through it, you will see almost every name is Middle Eastern.”
Edward Hasbrouck, an author and human rights advocate, wrote in his analysis of the documents that the lists “confirm the TSA’s (1) Islamophobia, (2) overconfidence in the certainty of its pre-crime predictions, and (3) mission creep.”
“The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming names,” Hasbrouck wrote in an essay published Friday by Papers, Please, an advocacy group dedicated to addressing creeping identity-based national travel rules.
“No Fly” mission creep
The “no fly” list was created under the George W. Bush administration, originally beginning as a small list of people prevented from flying on commercial flights due to specific threats. The list was formalized and vastly expanded in scope after the 9/11 terrorist attacks on New York, a national tragedy that spawned a spike in anti-Muslim discrimination and hate crimes across the country, according to the DOJ.
Inclusion on the list prevents people the FBI identifies who “may present a threat to civil aviation or national security” from boarding planes flying within, to, from, or over the United States. They do not need to have been charged or convicted of a crime to be included, just “reasonably suspected” of aiding or planning acts of terrorism.
In the years since the original “no fly” list was formed, it has gained official federal recognition and grown from just 16 names, according to the ACLU, to the 1,807,230 entries in the documents found by crimew.
When looking at the list, Crimew told Insider, “you start to notice just how young some of the people are.” Among the hundreds of thousands of names on the list are the children of suspected terrorists including a child whose birthdate indicates they would have been four years old or five years at the time they were included.
“What problem is this even trying to solve in the first place?” crimew told Insider. “I feel like this is just a very perverse outgrowth of the surveillance state. And not just in the US, this is a global trend.”
In the early 2000s, there were many reports of people being wrongly placed on the “no fly” list, including then-Senator Ted Kennedy and peace activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a federal suit over the list, prompting a release of its then 30,000 names and the TSA’s creation of an ombudsman to oversee complaints.
Not the first hack
Crimew, a staunch self-described leftist and anti-capitalist, was indicted for conspiracy, wire fraud, and aggravated identity theft related to a previous hack in 2021. The DOJ alleges she and several co-conspirators “hacked dozens of companies and government entities and posted the private victim data of more than 100 entities on the web.”
The outcome of the 2021 case is still pending, crimew told Insider. Though she hasn’t been contacted by law enforcement in relation to the latest hack, she said she wouldn’t be surprised that she had once again caught the attention of federal agencies.
“It’s just a whole lot of personally identifiable information that could be used against people, especially in the hands of non-US intelligence agencies,” crimew wrote in a statement to Insider. For that reason, she said she chose to release the list through journalists and academic sources instead of freely publishing it on her blog. “I just feel iffy about publicly releasing a list full of people some government entity considers ‘bad.’ (Not that the US doesn’t use it against people, it just doesn’t need to get in the hands of even more people doing harm).”
CommuteAir faced a similar data breach in November, CNN reported, after an “unauthorized party” accessed information that included names, birthdates, and partial social security numbers held by the airline.
Crimew told Insider the company’s lack of investment in its cybersecurity was an oversight caused by corporate greed, saying it is cheaper for the company cut corners in its security procedures and pay to take care of the aftermath than to invest properly into a safer system.
“Even the fact that they had already been hacked before apparently wasn’t enough for them to really invest in it. And that really just shows like where the priorities lie,” crimew told Insider: “I just hope they maybe learned their lesson the second time.”