- A Swiss hacker says she found a copy of the FBI’s no-fly list on an unsecured server.
- The 2019 list of over 1.5 million entries contains an overwhelming number of Muslim passengers.
- The server operated by CommuteAir also contained private employee data such as passport numbers.
Loading Something is loading.
Thanks for registering!
Access your favorite topics on the go in a personalized feed. Download the app
The FBI Terrorism Screening Center’s secret “no-fly” list has become much less mysterious thanks to a bored Swiss hacker who was exploring unsecured servers in her spare time.
Maia Arson Crimew, who was described as a “prolific” hacker by the Justice Department in an independent indictment, said she found the highly sensitive documents on April 12, along with what she called a “jackpot” of other information.
The Daily Dot first reported on Thursday that the server hosted by CommuteAir, a regional airline working with United Airlines to form United Express routes, had in its files a redacted version of the anti-terrorist “No -Fly” list from 2019. The NoFly.csv and selecte.csv files found by crimew contain over 1.8 million entries, including names and dates of birth, of people the FBI has identified as “known or suspected terrorists” who are being prevented from boarding planes board, “when flying within the territory, to, from, and over the United States.”
An airline spokesman confirmed the authenticity of the files to Insider, saying the hack also found employees’ personal information.
“Based on our initial investigation, no customer details were disclosed,” Erik Kane, a spokesman for CommuteAir, said in a statement to Insider. “CommuteAir immediately took the affected server offline and launched an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency and has also notified its employees.”
The Transportation Security Administration confirmed to Insider that it was made aware of the incident.
“We are investigating in coordination with our federal partners,” Lorie Dankers, a spokeswoman for the TSA, said in a statement to Insider.
The FBI did not immediately respond to Insider’s request for comment.
Easily accessible secrets
Crimew told Insider that it only took her a few minutes to access the server and find credentials that would allow her to view the database. She said she’s exploring the servers to combat boredom of sitting alone and has no intention of discovering anything with US national security implications.
Browsing through files on the company’s server, “it dawned on me how much I had owned them within half an hour,” Crimew wrote in a blog post detailing the hack. The credentials she found that gave her access to the files would also give her access to internal interfaces that controlled refueling, flight cancellations and updates, and crew member swaps — if she felt like it, she wrote.
The massive files reviewed by Insider contain over a dozen aliases for Viktor Bout, the Russian “dealer of death” who was traded for basketball player Brittney Griner in a prisoner swap, as well as a large number of names of people who died in the Suspected of being organized crime in Ireland. However, Crimew said there is a notable trend among the names.
“Looking at the files, it just confirmed a lot of things that I and probably everyone else kind of suspected about the biases on this list,” Crimew told Insider. “If you just scroll through, you’ll see that almost every name is Middle Eastern.”
Edward Hasbrouck, an author and human rights defender, wrote in his analysis of the documents that the lists “confirm (1) Islamophobia, (2) the TSA’s over-reliance on the certainty of its crime predictions, and (3) the cringing of the mission . “
“The most obvious pattern in the data is the overwhelming predominance of Arabic- or Muslim-looking names,” Hasbrouck wrote in a paper published Friday by Papers, Please, an advocacy group dedicated to combating creeping identity-based national travel rules.
“No Fly” mission creep
Created under the George W. Bush administration, the “No Fly” list originally began as a small list of people who were prevented from flying on commercial flights due to specific threats. The list was formalized and significantly expanded in scope following the September 11, 2001 terrorist attacks in New York, a national tragedy that, according to the DOJ, led to a rise in anti-Muslim discrimination and hate crimes nationwide.
Listing prevents individuals identified by the FBI who “could pose a threat to civil aviation or national security” from boarding aircraft flying within, to, from, or over the United States. They do not need to have been charged or convicted of a crime to be included, just “reasonably suspected” of supporting or planning terrorist attacks.
In the years since the original no-fly list was created, it has gained official state recognition, growing from just 16 names to 1,807,230 entries in the documents found by crimew, according to the ACLU.
Looking at the list, Crimew told Insider, “You’re starting to realize how young some of the people are.” Among the hundreds of thousands of names on the list are the children of suspected terrorists, including one child whose date of birth indicates it would have been four or five years old at the time of his recording.
“What problem is this even trying to solve?” Crimew told Insider. “I feel like this is just a very perverse outgrowth of the surveillance state. And not just in the US, it’s a global trend.”
In the early 2000s, there were many reports of people being wrongly placed on the no-fly list, including then-Senator Ted Kennedy and peace activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a federal lawsuit over the list, resulting in the declassification of their then 30,000 names and the creation of an ombudsman by the TSA to monitor complaints.
Not the first hack
Crimew, a self-proclaimed leftist and anti-capitalist, has been charged with conspiracy, wire fraud and aggravated identity theft in connection with a previous 2021 hack. The DOJ claims she and several co-conspirators “hacked into dozens of companies and government entities.” and exposed the private victim data of more than 100 entities.”
The outcome of the 2021 case is still pending, Crimew told Insider. Though she was not contacted by law enforcement in connection with the latest hack, she said she wasn’t surprised that she’d attracted renewed attention from federal authorities.
“It’s just a lot of personally identifiable information that could be used against people, especially in the hands of non-US intelligence agencies,” Crimew wrote in a statement to Insider. Because of this, she said she chose to publish the list via journalists and academic sources rather than freely posting it on her blog. “I just feel skeptical about publicly posting a list of people a government agency considers ‘bad.’ (Not that the US doesn’t use it against humans, it just doesn’t need to get into the hands of more humans doing harm).”
CNN reported that CommuteAir faced a similar data breach in November after an “unauthorized party” accessed information containing airline names, dates of birth and, in some cases, social security numbers.
Crimew told Insider that the company’s underinvestment in its cybersecurity was an oversight caused by corporate greed, saying it was cheaper for the company to cut corners on its security procedures and deal with the consequences than right in invest in a safer system.
“Even the fact that they had been hacked before apparently wasn’t enough for them to really invest in it. And that really just goes to show where the priorities are,” Crimew told Insider. “I just hope maybe they learned their lesson from this second time around.”