An investigation has been launched after a self-described hacker apparently discovered the Transportation Security Administration's no-fly list on an unsecured computer server, exposed on the public internet.
The list, discovered by a Swiss hacker known as maia arson crimew, contains over 1 million entries with names, birthdates and aliases of suspected or known terrorists who have been barred from air travel in the U.S., the Daily Dot reported.
The server was hosted by CommuteAir, a regional airline based in Ohio. In a statement to CNN, CommuteAir said the data accessed by the hacker was "an outdated 2019 version of the federal no-fly list." It also said the server was taken offline after a "member of the security research community" had contacted the airline.
The list included several high-profile figures, including the recently freed Russian arms dealer Viktor Bout, and at least 16 of his aliases, according to the Daily Dot. Bout, known as the "Merchant of Death," was sent back to Russia in December by the Biden Administration in a prisoner exchange for WNBA star Brittney Griner. The list also reportedly contains personal data of CommuteAir employees as well as flight plan information.
In a blog post, the hacker claims they stumbled upon the list out of boredom while searching for servers exposed on the internet. The text file was named, conspicuously enough, as "NoFly.csv." Another list titled "selectee.csv" includes more than 250,000 entries of individuals who are subject to additional screening while flying.
"The nofly csv is almost 80mb in size and contains over 1.56 million rows of data," the hacker, who also describes themself as a cybersecurity researcher, wrote. "I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of... results."
In a statement to CNN, the TSA said that it is "aware of a potential cybersecurity incident with CommuteAir" and the agency is "investigating in coordination with our federal partners."
Rep. Dan Bishop, who sits on the House Homeland Security Committee, said Congress will also be "coming for answers."
"The entire US no-fly list - with 1.5 million+ entries - was found on an unsecured server by a Swiss hacker," Bishop (R-NC) said in a tweet. "Besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?"
The lists have been shared with journalists and researchers, including Edward Hasbrouck, an author and human rights advocate. He said there was a notable trend among the included names that "confirm the TSA's Islamophobia."
"The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming names," Hasbrouck wrote in an essay for Papers, Please. "More than 10% of the entries on the No-Fly list (174,202 of 1,566,062) contain 'MUHAMMAD' in either the first or last name fields."
An FBI spokesperson told Insider its procedures for including people on the no-fly list are not indicative of bias.
"Individuals are included on the watchlist when there is reasonable suspicion to believe that a person is a known or suspected terrorist," the statement said. "Individuals are not watchlisted based solely on race, ethnicity, national origin, religious affiliation, or any First Amendment-protected activities."
Related
Related
