



A Swiss hacker says she found a copy of the FBI's no-fly list on an unsecured server. The 2019 list, with over 1.5 million entries, includes an overwhelming number of Muslim passengers. The server, run by CommuteAir, also contained private employee data, such as passport numbers.

The FBI Terrorism Screening Center’s secret “no-fly” list has become much less mysterious thanks to a bored Swiss hacker who was exploring unsecured servers in her spare time.

Maia arson crimew, described by the Justice Department as a “prolific” hacker in an unrelated indictment, said she was clicking through an online search engine full of unprotected servers on January 12 when she accessed one run by a little-known airline and found the highly sensitive documents, along with what she called a “jackpot” of other information.

The Daily Dot first reported on Thursday that the server, hosted by CommuteAir, a regional airline that partners with United Airlines to form United Express routes, contained among its files a redacted version of the 2019 counter-terrorism list.” no-fly”. The “NoFly.csv” and “selectee.csv” files found by crimew contain more than 1.8 million entries, including the names and birthdates of people the FBI identifies as “known or suspected terrorists” who are barred from boarding an aircraft “when flying in, to, from, and over the United States.”

An airline spokesperson confirmed the authenticity of the files to Insider and said personally identifiable information belonging to employees was also found in the hack.

“Based on our initial investigation, no customer data has been exposed,” CommuteAir spokesperson Erik Kane said in a statement to Insider. “CommuteAir immediately took the affected server offline and launched an investigation to determine the extent of the data access. CommuteAir reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees. “

The Transportation Security Administration confirmed to Insider that it had been made aware of the incident.

“We are investigating in coordination with our federal partners,” TSA spokeswoman Lorie Dankers said in a statement to Insider.

The FBI did not immediately respond to Insider’s request for comment.

Easily accessible secrets

Crimew told Insider that it only took him a few minutes to access the server and find the credentials that allowed him to see the database. She said she was exploring the servers as a way to combat boredom while sitting alone and did not intend to discover anything with national security implications for the United States.

Going through the files on the company’s server, “I realized how much I had already owned them in just about half an hour,” crimew wrote in a blog post detailing the hack. The credentials she found, which gave her access to the files, would also allow her to access the internal interfaces that controlled refueling, canceling and updating flights, and exchanging crew members if she wished, she wrote.

The large files, reviewed by Insider, contain more than a dozen aliases for Viktor Bout, the Russian “merchant of death” who was traded in a prisoner swap for basketball player Brittney Griner, as well as a large number of names of people suspected of having organized crime in Ireland. However, crimew said there was a noticeable trend among the names.

“Looking at the files, it just confirmed a lot of things that I, and probably everyone else, sort of suspected in terms of bias in this list,” crimew told Insider. “Just scrolling through it, you’ll see almost all the names are from the Middle East.”

Edward Hasbrouck, author and human rights advocate, wrote in his analysis of the documents that the lists “confirm (1) the Islamophobia of the TSA, (2) the overconfidence in the certainty of its pre predictions. -crime, and (3) mission drift.”

“The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-looking names,” Hasbrouck wrote in an essay published Friday by Papers, Please, an advocacy group dedicated to fighting national travel rules. identity-based creepers.

Mission “No Fly” creep

The “no-fly” list was created during the George W. Bush administration, originally beginning as a small list of people barred from flying on commercial flights due to specific threats. The list was formalized and significantly expanded after the 9/11 terrorist attacks in New York City, a national tragedy that sparked a spike in anti-Muslim discrimination and hate crimes across the country, according to the DOJ.

Inclusion on the list prevents individuals identified by the FBI who ‘may pose a threat to civil aviation or national security’ from boarding planes flying within, to, from or over the United States. They do not need to have been charged or convicted of a crime to be included, just “reasonably suspected” of aiding or planning acts of terrorism.

In the years since the original “no-fly” list was formed, it gained official federal recognition and grew from just 16 names, according to the ACLU, to the 1,807,230 entries in documents found by crimew.

Looking at the list, Crimew told Insider, “you start to notice how young some people are.” Among the hundreds of thousands of names on the list are the children of suspected terrorists, including one child whose date of birth indicates he would have been four or five when he was listed.

“What problem is this even trying to solve in the first place?” crimew told Insider. “I feel like it’s just a very perverse outgrowth of the surveillance state. And not just in the United States, it’s a global trend.”

In the early 2000s, there were numerous reports of people being wrongly placed on the no-fly list, including then-Senator Ted Kennedy and peace activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a federal lawsuit over the list, prompting the publication of its then 30,000 names and the creation by the TSA of an ombudsman to oversee complaints.

Not the first hack

Crimew, a staunch leftist and self-proclaimed anti-capitalist, has been charged with conspiracy, wire fraud and aggravated impersonation related to a previous hack in 2021. The DOJ alleges that she and several co-conspirators “hacked into dozens companies and government entities and published the private data of victims of more than 100 entities on the web.”

The outcome of the 2021 case is still pending, crimew told Insider. Although she has not been contacted by law enforcement regarding the latest hack, she said she would not be surprised if it came to the attention of federal agencies again.

“It’s just a lot of personally identifiable information that could be used against people, especially in the hands of non-US intelligence agencies,” crimew wrote in a statement to Insider. For this reason, she said she chose to release the list through journalists and academic sources instead of posting it freely on her blog. “I just feel uncertain about publicly releasing a full list of people that some government entity considers ‘bad’. (It’s not that the US doesn’t use it against people, it just doesn’t need to be in the hands of even more hurtful people).”

CommuteAir faced a similar data breach in November, CNN reported, after an “unauthorized party” accessed information including names, birth dates and partial social security numbers held by the airline. Aerial.

Crimew told Insider that the company’s lack of investment in its cybersecurity was an oversight caused by corporate greed, saying it was cheaper for the company to cut corners in its security procedures and pay to take care of the consequences than investing properly in a safer system.

“Even the fact that they’ve been hacked before apparently wasn’t enough for them to really invest in it. And it really shows where the priorities are,” crimew told Insider: “I just hope that they may have learned their lesson the second time around.”

