First reported by the Daily Dot, an activist and hacker who goes by the name maia arson crimew uncovered a version of the United States government’s No-Fly List dated to 2019 on an unsecured server owned by regional US airline, CommuteAir (formerly CommutAir). The glimpse at this well-known, but not publicly available, US government registry is the latest in a cavalcade of major corporate security breaches in recent months.
Crimew, an independent hacker and researcher, discovered the list via a variant of Shodan, a cybersecurity-focused search engine that allows users to find unsecured servers on the net. Crimew found one such server owned by CommuteAir, a partner of United Airlines specializing in short-range flights. In addition to the list itself, preposterously named NoFly.csv, crimew uncovered detailed employee records for CommuteAir, as well as credentials to allow her access to “navlblue APIs for refuelling, cancelling, and updating flights, swapping out crew members, and so on.”
Crimew has not published the No-Fly List in full, but has made it available by request for journalists. Crimew described it to Kotaku as being over 1.56 million entries long, containing names, birthdates, and aliases for targeted individuals. Crimew told the Daily Dot that “it’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries.”
CommuteAir confirmed that the database was genuine and dated to 2019, while the TSA told the Daily Dot that it was “aware of a potential cybersecurity incident with CommuteAir,” and that it was “investigating in coordination with [its] federal partners.”
Although the US government maintained a small list of individuals with a “no transport” flag prior to 2001, the No-Fly list exploded in size and scope following the September 11 attacks. Critics argue the list is an opaque overreach of the security state that has disproportionately affected Muslims. The list includes some American citizens.
In 2016, Senator Diane Feinstein disclosed that the list covered 81,000 people, while in 2005, the TSA admitted that it had received 30,000 complaints from people who had been added to the list by mistake. It is unclear how many of the 1.5 million entries on NoFly.csv are aliases, accounting for common misspellings, or other forms of repeat entry for the same individual, while the Daily Dot mentions the possibility that this leak could reflect the wider and less restrictive Terrorism Screening Database as opposed to the narrower and harsher No-Fly List.
This is not crimew’s first act of hacktivism. She has previously leaked data from Intel, Nissan, and cloud-based security firm Verkada. Crimew had her home raided by Swiss police in relation to charges from the US government over these breaches, but she is protected from extradition to the United States by the Swiss constitution. Crimew maintains a personal website and active Twitter account.