The Transportation Security Administration’s no-fly list is one of the most important ledgers in the United States, containing the names of people who are deemed to be such a threat to national security that they Not allowed on airplanes. You would have been forgiven at the time for thinking that list was a closely guarded state secret, but lol, no.
A Swiss hacker obtained a copy of the list known as “maia arson creamw”—albeit a version from a few years ago—not by getting past fortress-like layers of cyber security, but by…finding a regional airline. His data was lying in an unsecured server. They announced the discovery with the photo and screenshot above, in which the Pokémon Sprigatito looks extremely pleased with itself.
As they Explain in a blog post detailing the processCrimow online was raving when they discovered that CommuteAir’s servers were sitting there:
Like many of my other hacks this story started with my boredom and browsing searching (Or well, technically ZoomyChinese search), looking open Jenkins Servers that might have some interesting stuff. At this point I’ve probably clicked through 20 boring open servers with little interest, when I suddenly start seeing some familiar words. “ACARS“, “crew” and so on mentions. Many words I’ve heard before, mostly while watching Mentor pilot YouTube videos. Jackpot is an open source Jenkins server Commute air.
Among the other “sensitive” information on the server was “NOFLY.CSV,” which was hilariously just what it said on the box: “The server contained data from the 2019 version of the federal no-fly list including first and last names and dates of birth,” CommuteAir corporate communications. Manager Eric Kane said to Daily dotwho worked with CrimeDue to sift through the data. “Furthermore, some CommuteAir personnel and flight information were accessible. We have submitted a notification to the Cyber Security and Infrastructure Security Agency and we are continuing a thorough investigation.
It is included in “crew and flight information”, as Crimeau writes:
Grabbing sample documents from various s3 buckets, going through a flight plan and dumping some DynamodB tables. At this point I had all the PII imaginable for each of their crew members. Full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when their next linecheck is due and more. I had trip sheets for every flight, the ability to access every flight plan, a whole bunch of image attachments for booking reimbursement flights, again with more PII, airplane maintenance data, you name it.
G/O Media may get commission
Up to $100 in credit
Samsung Reserve
Reserve the next generation Samsung device
All you need to do is sign up with your email and boom: credit towards your pre-order on a new Samsung device.
The government is now investigating the leak with the TSA says Daily dot They are “Aware of a potential cyber security incident and we are investigating in coordination with our federal partners”.
If you’re wondering how many names are on the list, it’s hard to tell. Crimeau says Kotaku That this version of the record “has about 1.5 million entries, but with so many aliases given to different people, it is very difficult to know the actual number of unique people on it” (2016 estimate “There were numbers on 2,484,442 records, including 1,877,133 personal identifications”).
Interestingly, the list was uploaded to CommuteAir’s servers in 2022, which is believed to be the year the record was held. Instead, Crimov tells me “the only reason we [now] know [it] From 2019 as the airline keeps confirming it in all their press statements, before we assumed it was from 2022.”
You can check out CrimeW’s blog hereWhen the Daily dot The post – which says the names on the list include members of the IRA and eight-year-here is.
